[StepSecurity] ci: Harden GitHub Actions (#401)

step-security-bot · web-flow · commit 2d458da8b9d4 · 2022-10-03T05:24:36.000+10:00
* [StepSecurity] ci: Harden GitHub Actions in docker-image.yml

* [StepSecurity] ci: Harden GitHub Actions in labeler.yml

* [StepSecurity] ci: Harden GitHub Actions in lint.yml

* [StepSecurity] ci: Harden GitHub Actions in super-linter.yml

* [StepSecurity] ci: Harden GitHub Actions in codeql-analysis.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -13,8 +13,15 @@ name: CodeQL
 
 on: [pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     name: Analyze
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [master]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   build-deploy:
     name: Build and Publish Docker image
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -2,8 +2,14 @@ name: Pull Request Labeler
 on:
   - pull_request_target
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   triage:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
     name: Triage
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,6 +2,9 @@ name: Lint
 
 on: [pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   markdown-link-check:
     name: Check for broken links in Markdown files
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -2,8 +2,14 @@ name: Lint
 
 on: [pull_request]
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      statuses: write  # for github/super-linter/slim to mark status of each linter run
     name: Super-Linter
     runs-on: ubuntu-latest
     steps:
