This change locks down the permissions of the access token in GitHub Actions to only allow reading the repository contents and nothing else.
see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token --- .github/workflows/codespell.yml | 3 +++ .github/workflows/compliance.yml | 3 +++ .github/workflows/contrib.yml | 3 +++ .github/workflows/coverity.yml | 3 +++ .github/workflows/musl.yml | 3 +++ .github/workflows/openssl-nodeprecated.yml | 3 +++ .github/workflows/vtest.yml | 3 +++ .github/workflows/windows.yml | 3 +++ 8 files changed, 24 insertions(+) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index de49f4343..61edaeb9e 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 0 * * 2" +permissions: + contents: read + jobs: codespell: diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 9f2bec289..fe6c2711e 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -5,6 +5,9 @@ on: schedule: - cron: "0 0 * * 3" +permissions: + contents: read + jobs: h2spec: name: h2spec diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml index 53f6025ca..93387a458 100644 --- a/.github/workflows/contrib.yml +++ b/.github/workflows/contrib.yml @@ -3,6 +3,9 @@ name: Contrib on: push: +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index fd5a0e2d2..b3dd5ec52 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -9,6 +9,9 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: scan: runs-on: ubuntu-latest diff --git a/.github/workflows/musl.yml b/.github/workflows/musl.yml index 8f6922486..19d82af7c 100644 --- a/.github/workflows/musl.yml +++ b/.github/workflows/musl.yml @@ -2,6 +2,9 @@ name: alpine/musl on: [push] +permissions: + contents: read + jobs: musl: name: gcc diff --git a/.github/workflows/openssl-nodeprecated.yml b/.github/workflows/openssl-nodeprecated.yml index 6833911e4..f6da38234 100644 --- a/.github/workflows/openssl-nodeprecated.yml +++ b/.github/workflows/openssl-nodeprecated.yml @@ -14,6 +14,9 @@ on: schedule: - cron: "0 0 * * 4" +permissions: + contents: read + jobs: test: diff --git a/.github/workflows/vtest.yml b/.github/workflows/vtest.yml index 1dc216eeb..4cdbdce5b 100644 --- a/.github/workflows/vtest.yml +++ b/.github/workflows/vtest.yml @@ -11,6 +11,9 @@ name: VTest on: push: +permissions: + contents: read + jobs: # The generate-matrix job generates the build matrix using JSON output # generated by .github/matrix.py. diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index b5a198aff..42bb4e8c9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -11,6 +11,9 @@ name: Windows on: push: +permissions: + contents: read + jobs: msys2: name: ${{ matrix.name }} -- 2.33.0
