ci(github-actions): least priviledge

thomasleplus · thomasleplus · commit 3aaad9287597 · 2025-09-24T10:54:15.000+02:00
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -2,13 +2,17 @@
 name: "Dependabot auto-merge"
 on: pull_request
 
-permissions:
-  actions: write
-  contents: write
-  pull-requests: write
+permissions: {}
 
 jobs:
   automerge:
+    permissions:
+      # Required to merge the PR
+      contents: write
+      # Required to merge the PR if it modifies a workflow
+      actions: write
+      # Required to approve the PR
+      pull-requests: write
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -20,16 +20,12 @@ jobs:
     # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
+      # for github/codeql-action/init to get workflow details
       actions: read
+      # for actions/checkout to fetch code
       contents: read
-
+      # for github/codeql-action/autobuild to send a status report
+      security-events: write
     strategy:
       fail-fast: false
       matrix:
@@ -60,7 +56,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -72,6 +68,6 @@ jobs:
           # queries: security-extended,security-and-quality
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5
+        uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -2,16 +2,18 @@
 name: "Dependency Review"
 on: [pull_request]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
+    permissions:
+      # Required to read the code
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: "Dependency Review"
-        uses: actions/dependency-review-action@0659a74c94536054bfa5aeb92241f70d680cc78e # v4
+        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
@@ -8,9 +8,9 @@ name: DevSkim
 
 on:
   push:
-    branches: ["main"]
+    branches: ["gh-pages"]
   pull_request:
-    branches: ["main"]
+    branches: ["gh-pages"]
   schedule:
     - cron: "0 0 * * 0"
 
@@ -21,20 +21,20 @@ jobs:
     name: DevSkim
     runs-on: ubuntu-latest
     permissions:
-      actions: read
+      # required to read the code
       contents: read
+      # required to publish security findings
       security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16
-
-      - name: Upload DevSkim scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
         with:
           should-scan-archives: true
+      - name: Upload DevSkim scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
+        with:
           sarif_file: devskim-results.sarif
diff --git a/.github/workflows/msdo.yml b/.github/workflows/msdo.yml
@@ -8,9 +8,9 @@ name: MSDO
 
 on:
   push:
-    branches: ["main"]
+    branches: ["gh-pages"]
   pull_request:
-    branches: ["main"]
+    branches: ["gh-pages"]
   schedule:
     - cron: "0 0 * * 0"
 
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
@@ -14,21 +14,22 @@ name: OSV-Scanner
 
 on:
   pull_request:
-    branches: ["main"]
+    branches: ["gh-pages"]
   push:
-    branches: ["main"]
+    branches: ["gh-pages"]
   schedule:
     - cron: "0 0 * * 0"
   workflow_dispatch:
 
-permissions:
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Read commit contents
-  contents: read
-  # Actions read-only
-  actions: read
+permissions: {}
 
 jobs:
   osv-scanner:
-    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@e69cc6c86b31f1e7e23935bbe7031b50e51082de" # v2.0.2
+    permissions:
+      # Required to upload the SARIF file to the security tab
+      security-events: write
+      # Required to read the code
+      contents: read
+      # Required to read the code
+      actions: read
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@90b209d0ea55cea1da9fc0c4e65782cc6acb6e2e" # v2.2.2
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -3,21 +3,27 @@ name: Scorecards supply-chain security
 on:
   push:
     branches:
-      - main
+      - gh-pages
       - "releases/**"
   schedule:
     - cron: "0 0 * * 0"
   workflow_dispatch:
 
-permissions: read-all
+permissions: {}
 
 jobs:
   scorecards:
     name: Scorecards analysis
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
+      # Required to read the code
+      actions: read
+      # Required to read the code
+      contents: read
+      # Required to sign the SARIF file
       id-token: write
+      # Required to upload the SARIF file to the security tab
+      security-events: write
     steps:
       - name: "Checkout code"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -37,8 +37,11 @@ jobs:
     # Grant status permission for MULTI_STATUS #
     ############################################
     permissions:
+      # Required to read the code
       contents: read
+      # Required to access the container image
       packages: read
+      # Required to write the status
       statuses: write
 
     ##################
@@ -64,7 +67,7 @@ jobs:
         env:
           VALIDATE_ALL_CODEBASE: true
           LINTER_RULES_PATH: .
-          DEFAULT_BRANCH: main
+          DEFAULT_BRANCH: gh-pages
           FILTER_REGEX_EXCLUDE: "(_layouts/default\\.html)$"
           ENFORCE_COMMITLINT_CONFIGURATION_CHECK: true
           GITHUB_ACTIONS_ZIZMOR_CONFIG_FILE: .zizmor.yml
diff --git a/.github/workflows/update-prs.yml b/.github/workflows/update-prs.yml
@@ -7,17 +7,20 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
-permissions:
-  pull-requests: write
-  contents: write
+permissions: {}
 
 jobs:
   update-prs:
     if: startsWith(github.ref, 'refs/heads/')
+    permissions:
+      # Required to update the PR
+      pull-requests: write
+      # Required to update the PR branch
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Update Pull Requests
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const opts = github.rest.pulls.list.endpoint.merge({
