[StepSecurity] ci: Harden GitHub Actions

step-security-bot · MaxymVlasov · commit 72d2aa390fd4 · 2025-01-24T00:58:08.000+02:00
Signed-off-by: StepSecurity Bot &lt;bot@stepsecurity.io&gt;
diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
@@ -10,6 +10,9 @@ on:
   schedule:
   - cron: 00 00 * * *
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -9,8 +9,14 @@ on:
     - edited
     - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -4,8 +4,13 @@ name: Common issues check
 
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   pre-commit:
+    permissions:
+      contents: write  # for pre-commit/action to push back fixes to PR branch
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ on:
     - .pre-commit-hooks.yaml
     # Ignore paths
     - '!tests/**'
+permissions:
+  contents: read
+
 jobs:
   release:
     name: Release
diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml
@@ -5,8 +5,14 @@ on:
   schedule:
   - cron: 0 0 * * *
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0
