Skip to content

Commit 94dec91

Browse files
olix0rolix0r
authored
ci: Restict permissions in Actions (#1019)
This change adds a `permissions` block to all actions and ensures that we use SHA-pinned versions of all external actions. This helps ensure that our actions use limited GitHub permissions. This change also removes the unused docker CI workflow.
1 parent a07b33d commit 94dec91

File tree

4 files changed

+25
-70
lines changed

4 files changed

+25
-70
lines changed

.github/workflows/advisory.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ jobs:
99
advisories:
1010
timeout-minutes: 5
1111
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
1214
steps:
1315
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
1416
- uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d # v1.2.6
@@ -23,6 +25,8 @@ jobs:
2325
runs-on: ubuntu-latest
2426
container:
2527
image: docker://rust:1.52.1-buster
28+
permissions:
29+
contents: read
2630
strategy:
2731
matrix:
2832
dir:
@@ -47,6 +51,8 @@ jobs:
4751
release-binary:
4852
timeout-minutes: 15
4953
runs-on: ubuntu-latest
54+
permissions:
55+
contents: read
5056
steps:
5157
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
5258
- run: make build

.github/workflows/docker.yml

Lines changed: 0 additions & 65 deletions
This file was deleted.

.github/workflows/release.yml

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ on:
77

88
jobs:
99
package:
10+
permissions:
11+
contents: write
1012
strategy:
1113
matrix:
1214
architecture: [amd64, arm64, arm]
@@ -25,7 +27,7 @@ jobs:
2527
timeout-minutes: 40
2628
steps:
2729
- name: git co
28-
uses: actions/checkout@v2
30+
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
2931

3032
- name: meta
3133
id: release-tag-meta
@@ -53,7 +55,7 @@ jobs:
5355
args: /linkerd/expected-checksec.json "target/${{ matrix.target }}/release/package/linkerd2-proxy-${{ steps.release-tag-meta.outputs.name }}-${{ matrix.architecture }}-checksec.json"
5456

5557
- name: upload artifacts
56-
uses: actions/upload-artifact@v2
58+
uses: actions/upload-artifact@ee69f02b3dfdecd58bb31b4d133da38ba6fe3700 # v2.2.3
5759
with:
5860
name: ${{ matrix.architecture }}-artifacts
5961
path: target/${{ matrix.target }}/release/package/*
@@ -63,9 +65,11 @@ jobs:
6365
name: GitHub Release
6466
runs-on: ubuntu-latest
6567
timeout-minutes: 5
68+
permissions:
69+
contents: write
6670
steps:
6771
- name: git co
68-
uses: actions/checkout@v2
72+
uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
6973

7074
- name: meta
7175
id: release-tag-meta
@@ -74,15 +78,15 @@ jobs:
7478
git-ref: ${{ github.ref }}
7579

7680
- name: download artifacts
77-
uses: actions/download-artifact@v2
81+
uses: actions/download-artifact@158ca71f7c614ae705e79f25522ef4658df18253 # v2.0.9
7882
with:
7983
path: artifacts
8084

8185
- name: display structure of downloaded files
8286
run: ls -R artifacts
8387

8488
- name: release
85-
uses: softprops/action-gh-release@affa18ef97bc9db20076945705aba8c516139abd
89+
uses: softprops/action-gh-release@b7e450da2a4b4cb4bfbae528f788167786cfcedf # v0.1.5
8690
env:
8791
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
8892
with:

.github/workflows/rust.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ jobs:
1111
audit:
1212
timeout-minutes: 5
1313
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
1416
steps:
1517
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
1618
- uses: EmbarkStudios/cargo-deny-action@0ca727bbae7b7b578b9a5f98186caac35aa2a00d # v1.2.6
@@ -23,6 +25,8 @@ jobs:
2325
runs-on: ubuntu-latest
2426
container:
2527
image: docker://rust:1.52.1-buster
28+
permissions:
29+
contents: read
2630
steps:
2731
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
2832
- run: rustup component add clippy
@@ -34,6 +38,8 @@ jobs:
3438
runs-on: ubuntu-latest
3539
container:
3640
image: docker://rust:1.52.1-buster
41+
permissions:
42+
contents: read
3743
steps:
3844
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
3945
- run: for d in $(for toml in $(find . -mindepth 2 -name Cargo.toml -not -path '*/fuzz/*') ; do echo ${toml%/*} ; done | sort -r ) ; do echo "# $d" ; (cd $d ; cargo check --all-targets) ; done
@@ -44,6 +50,8 @@ jobs:
4450
runs-on: ubuntu-latest
4551
container:
4652
image: docker://rust:1.52.1-buster
53+
permissions:
54+
contents: read
4755
steps:
4856
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
4957
- run: rustup component add rustfmt
@@ -53,6 +61,8 @@ jobs:
5361
test:
5462
timeout-minutes: 15
5563
runs-on: ubuntu-latest
64+
permissions:
65+
contents: read
5666
steps:
5767
- uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
5868
- run: make test

0 commit comments

Comments
 (0)