From eb96830ee55c8ab7c6fa2d93443f38b274a3a258 Mon Sep 17 00:00:00 2001 From: naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Sun, 3 Jul 2022 00:30:40 +0000 Subject: [PATCH] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/angular.yml | 3 +++ .github/workflows/auto-pr.yml | 6 ++++++ .github/workflows/build-and-test.yml | 3 +++ .github/workflows/cancel-workflow.yml | 5 +++++ .github/workflows/codeql-analysis.yml | 7 +++++++ 5 files changed, 24 insertions(+) diff --git a/.github/workflows/angular.yml b/.github/workflows/angular.yml index 0c0f8d5b6c..e42f3e58dd 100644 --- a/.github/workflows/angular.yml +++ b/.github/workflows/angular.yml @@ -10,6 +10,9 @@ on: branches: - 'rel-*' - 'dev' +permissions: + contents: read + jobs: build-test-lint: runs-on: ubuntu-latest diff --git a/.github/workflows/auto-pr.yml b/.github/workflows/auto-pr.yml index 084b0977d0..081275ca08 100644 --- a/.github/workflows/auto-pr.yml +++ b/.github/workflows/auto-pr.yml @@ -3,8 +3,14 @@ on: push: branches: - rel-5.3 +permissions: + contents: read + jobs: merge-rel-5-3-with-rel-5-2: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 0210efcec9..b88900019b 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -31,6 +31,9 @@ on: - 'templates/**/*.cshtml' - 'templates/**/*.csproj' - 'templates/**/*.razor' +permissions: + contents: read + jobs: build-test: runs-on: windows-latest diff --git a/.github/workflows/cancel-workflow.yml b/.github/workflows/cancel-workflow.yml index 78bbf94b3b..039943ad66 100644 --- a/.github/workflows/cancel-workflow.yml +++ b/.github/workflows/cancel-workflow.yml @@ -1,7 +1,12 @@ name: cancel-workflow on: [push] +permissions: + contents: read + jobs: cancel: + permissions: + actions: write # for styfle/cancel-workflow-action to cancel/stop running workflows name: 'Cancel Previous Runs' runs-on: ubuntu-latest timeout-minutes: 3 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7aaad739e9..e3127f21b1 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,8 +24,15 @@ on: - 'abp/**/*.csproj' - 'abp/**/*.razor' +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-latest