From 2d900d4848b97afffdf0e626a60de2276f434d59 Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Tue, 31 May 2022 21:53:50 -0500
Subject: [PATCH] chore: Set permissions for GitHub actions (#9891)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
---
 .github/workflows/ci.yml             |  3 +++
 .github/workflows/preview-build.yml  |  3 +++
 .github/workflows/preview-deploy.yml | 11 +++++++++++
 .github/workflows/preview-start.yml  |  6 ++++++
 .github/workflows/rebase.yml         |  6 ++++++
 5 files changed, 29 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 101ea9ea..14883fb7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,6 +2,9 @@ name: Node CI
 
 on: [push, pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ matrix.os }}
diff --git a/.github/workflows/preview-build.yml b/.github/workflows/preview-build.yml
index e90dae65..d8667a5d 100644
--- a/.github/workflows/preview-build.yml
+++ b/.github/workflows/preview-build.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   build-preview:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/preview-deploy.yml b/.github/workflows/preview-deploy.yml
index 11c9ff54..5fc642fb 100644
--- a/.github/workflows/preview-deploy.yml
+++ b/.github/workflows/preview-deploy.yml
@@ -6,8 +6,15 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   success:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      issues: write  # for actions-cool/maintain-one-comment to modify or create issue comments
+      pull-requests: write  # for actions-cool/maintain-one-comment to modify or create PR comments
     runs-on: ubuntu-latest
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
     steps:
@@ -62,6 +69,10 @@ jobs:
           number: ${{ steps.pr.outputs.id }}
 
   failed:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      issues: write  # for actions-cool/maintain-one-comment to modify or create issue comments
+      pull-requests: write  # for actions-cool/maintain-one-comment to modify or create PR comments
     runs-on: ubuntu-latest
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'failure'
     steps:
diff --git a/.github/workflows/preview-start.yml b/.github/workflows/preview-start.yml
index f9ccd1df..98d2f126 100644
--- a/.github/workflows/preview-start.yml
+++ b/.github/workflows/preview-start.yml
@@ -2,8 +2,14 @@ name: Preview Start
 
 on: pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   preview:
+    permissions:
+      issues: write  # for actions-cool/maintain-one-comment to modify or create issue comments
+      pull-requests: write  # for actions-cool/maintain-one-comment to modify or create PR comments
     runs-on: ubuntu-latest
     steps:
       - name: create
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
index f850ccc8..a5bbc4c6 100644
--- a/.github/workflows/rebase.yml
+++ b/.github/workflows/rebase.yml
@@ -2,8 +2,14 @@ on:
   issue_comment:
     types: [created]
 name: Automatic Rebase
+permissions:
+  contents: read
+
 jobs:
   rebase:
+    permissions:
+      contents: write  # for cirrus-actions/rebase to push code to rebase
+      pull-requests: read  # for cirrus-actions/rebase to get info about PR
     name: Rebase
     if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
     runs-on: ubuntu-latest