From fd8af163ba785520e112f5d1f5cb0f52d4ceafb8 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Wed, 8 Jun 2022 01:25:16 -0500 Subject: [PATCH] ci: Set permissions for GitHub actions (#17102) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit chore: Set permissions for GitHub actions Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/docker-release.yml | 5 +++++ .github/workflows/docs-checker.yml | 3 +++ .github/workflows/patch-mariadb-tests.yml | 3 +++ .github/workflows/release.yml | 3 +++ .github/workflows/server-mariadb-tests.yml | 3 +++ .github/workflows/server-postgres-tests.yml | 3 +++ .github/workflows/ui-tests.yml | 3 +++ 7 files changed, 23 insertions(+) diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index dba13f9358..988c2dcc6c 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -2,8 +2,13 @@ name: 'Trigger Docker build on release' on: release: types: [released] +permissions: + contents: read + jobs: curl: + permissions: + contents: none name: 'Trigger Docker build on release' runs-on: ubuntu-latest container: diff --git a/.github/workflows/docs-checker.yml b/.github/workflows/docs-checker.yml index 5e91063698..a0f77b43fd 100644 --- a/.github/workflows/docs-checker.yml +++ b/.github/workflows/docs-checker.yml @@ -3,6 +3,9 @@ on: pull_request: types: [ opened, synchronize, reopened, edited ] +permissions: + contents: read + jobs: docs-required: name: 'Documentation Required' diff --git a/.github/workflows/patch-mariadb-tests.yml b/.github/workflows/patch-mariadb-tests.yml index c8294886a0..224e380925 100644 --- a/.github/workflows/patch-mariadb-tests.yml +++ b/.github/workflows/patch-mariadb-tests.yml @@ -7,6 +7,9 @@ concurrency: group: patch-mariadb-develop-${{ github.event.number }} cancel-in-progress: true +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 93d43ddedf..e9936482b0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,9 @@ on: push: branches: - version-14-beta +permissions: + contents: read + jobs: release: name: Release diff --git a/.github/workflows/server-mariadb-tests.yml b/.github/workflows/server-mariadb-tests.yml index 4edf74ba71..48104b8f16 100644 --- a/.github/workflows/server-mariadb-tests.yml +++ b/.github/workflows/server-mariadb-tests.yml @@ -11,6 +11,9 @@ concurrency: cancel-in-progress: true +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/server-postgres-tests.yml b/.github/workflows/server-postgres-tests.yml index 895af5184e..241b7ddf96 100644 --- a/.github/workflows/server-postgres-tests.yml +++ b/.github/workflows/server-postgres-tests.yml @@ -10,6 +10,9 @@ concurrency: group: server-postgres-develop-${{ github.event.number }} cancel-in-progress: true +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index fc8093444e..06ad921a6a 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -10,6 +10,9 @@ concurrency: group: ui-develop-${{ github.event.number }} cancel-in-progress: true +permissions: + contents: read + jobs: test: runs-on: ubuntu-latest