chore: Set permissions for GitHub actions

naveensrinivasan · naveensrinivasan · commit c07abd958eb9 · 2022-05-17T06:31:06.000-05:00
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
diff --git a/.github/workflows/cancel_workflows.yml b/.github/workflows/cancel_workflows.yml
@@ -0,0 +1,22 @@
+name: Cancel duplicate workflows
+
+on:
+  workflow_run:
+    workflows: ["CI", "CodeQL"]
+    types:
+      - requested
+
+# Note: This has to be in workflow_run so it works for PRs from forks.
+permissions:
+  contents: read
+
+jobs:
+  cancel:
+    permissions:
+      actions: write  # for styfle/cancel-workflow-action to cancel/stop running workflows
+    runs-on: ubuntu-latest
+    steps:
+    - name: Cancel previous runs
+      uses: styfle/cancel-workflow-action@3d86a7cc43670094ac248017207be0295edbc31d  # 0.8.0
+      with:
+        workflow_id: ${{ github.event.workflow.id }}
diff --git a/.github/workflows/ci_crontests.yml b/.github/workflows/ci_crontests.yml
@@ -9,6 +9,9 @@ on:
     # run every Monday at 5am UTC
     - cron: '0 5 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.name }}
diff --git a/.github/workflows/ci_devtests.yml b/.github/workflows/ci_devtests.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     name: ${{ matrix.name }}
diff --git a/.github/workflows/ci_tests.yml b/.github/workflows/ci_tests.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
 
 jobs:
   tests:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -11,8 +11,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     name: Analyze
     runs-on: ubuntu-latest
 
