chore: Set permissions for GitHub actions (#12462)

Motivation: Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Modifications: - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs Result: Secure GitHub actions Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
netty · Mar 29, 2023 · ccc5e01 · ccc5e01
1 parent cf5c467
commit ccc5e01
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
@@ -28,6 +28,9 @@ on:
 env:
   MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryhandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=240
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/ci-pr-reports.yml b/.github/workflows/ci-pr-reports.yml
@@ -22,8 +22,15 @@ on:
 env:
   MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryhandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=240
 
+permissions:
+  contents: read
+
 jobs:
   tests:
+    permissions:
+      actions: read  # for dawidd6/action-download-artifact to query and download artifacts
+      checks: write  # for scacap/action-surefire-report to publish result as PR check
+      pull-requests: read  # for dawidd6/action-download-artifact to query commit hash
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -32,8 +32,15 @@ on:
 env:
   MAVEN_OPTS: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.http.retryhandler.count=5 -Dmaven.wagon.httpconnectionManager.ttlSeconds=240
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-latest