ci: add permissions settings

BurntSushi · Aug 29, 2023 · 54e460d · 54e460d
1 parent bf2a2c1
commit 54e460d
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,16 +6,33 @@ on:
     - master
   schedule:
     - cron: '00 01 * * *'
+
+# The section is needed to drop write-all permissions that are granted on
+# `schedule` event. By specifying any permission explicitly all others are set
+# to none. By using the principle of least privilege the damage a compromised
+# workflow can do (because of an injection or compromised third party tool or
+# action) is restricted. Currently the worklow doesn't need any additional
+# permission except for pulling the code. Adding labels to issues, commenting
+# on pull-requests, etc. may need additional permissions:
+#
+# Syntax for this section:
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+#
+# Reference for how to assign permissions on a job-by-job basis:
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+#
+# Reference for available permissions that we can enable if needed:
+# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
+permissions:
+  # to fetch code (actions/checkout)
+  contents: read
+
 jobs:
   test:
     name: test
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
-        # The docs seem to suggest that we can have a matrix with just an
-        # include directive, but it results in a "matrix must define at least
-        # one vector" error in the CI system.
-        build: [pinned, stable, beta, nightly, macos, win-msvc, win-gnu]
         include:
         - build: pinned
           os: ubuntu-latest