From f64c0b4cb2f19427155f463a5e179dd3aeb23e95 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta Date: Mon, 12 May 2025 11:41:15 +0200 Subject: [PATCH 1/2] Added default WF permission to read-only --- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 12 +++++++----- .github/workflows/markdown.yml | 3 +++ .github/workflows/mkdocs.yml | 4 ++-- .github/workflows/tpip.yml | 4 ++-- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 48bb803f..a249ba02 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read +# Declare default permissions as read only +permissions: read-all jobs: build: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e814b72f..e8ee9f7a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,11 +8,8 @@ on: branches: - main -permissions: - actions: read - checks: write - contents: read - security-events: write +# Declare default permissions as read only +permissions: read-all concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -22,6 +19,11 @@ jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + actions: read + checks: write + contents: read + security-events: write steps: - name: Harden the runner (Audit all outbound calls) diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml index 08613ccd..a8a9d08e 100644 --- a/.github/workflows/markdown.yml +++ b/.github/workflows/markdown.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Declare default permissions as read only +permissions: read-all + jobs: linter: name: Lint Markdown Files diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml index e87a62f7..ea8fd30f 100644 --- a/.github/workflows/mkdocs.yml +++ b/.github/workflows/mkdocs.yml @@ -16,8 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read +# Declare default permissions as read only +permissions: read-all jobs: build: diff --git a/.github/workflows/tpip.yml b/.github/workflows/tpip.yml index 2fb050f9..29238dcb 100644 --- a/.github/workflows/tpip.yml +++ b/.github/workflows/tpip.yml @@ -16,8 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read +# Declare default permissions as read only +permissions: read-all jobs: report: From 82e8de1017f6e0039b0b095f160931ca223bf362 Mon Sep 17 00:00:00 2001 From: Sourabh Mehta Date: Mon, 12 May 2025 14:29:00 +0200 Subject: [PATCH 2/2] set least privilege --- .github/workflows/ci.yml | 4 ++-- .github/workflows/codeql.yml | 4 ++-- .github/workflows/markdown.yml | 4 ++-- .github/workflows/mkdocs.yml | 4 ++-- .github/workflows/scorecard.yml | 4 ++-- .github/workflows/tpip.yml | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a249ba02..48bb803f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,8 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# Declare default permissions as read only -permissions: read-all +permissions: + contents: read jobs: build: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e8ee9f7a..20607737 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -8,8 +8,8 @@ on: branches: - main -# Declare default permissions as read only -permissions: read-all +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml index a8a9d08e..ac4769c3 100644 --- a/.github/workflows/markdown.yml +++ b/.github/workflows/markdown.yml @@ -13,8 +13,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# Declare default permissions as read only -permissions: read-all +permissions: + contents: read jobs: linter: diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml index ea8fd30f..e87a62f7 100644 --- a/.github/workflows/mkdocs.yml +++ b/.github/workflows/mkdocs.yml @@ -16,8 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# Declare default permissions as read only -permissions: read-all +permissions: + contents: read jobs: build: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2f1a487a..e0ee0dc8 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -11,8 +11,8 @@ on: push: branches: [ "main" ] -# Declare default permissions as read-only. -permissions: read-all +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/tpip.yml b/.github/workflows/tpip.yml index 29238dcb..2fb050f9 100644 --- a/.github/workflows/tpip.yml +++ b/.github/workflows/tpip.yml @@ -16,8 +16,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# Declare default permissions as read only -permissions: read-all +permissions: + contents: read jobs: report: