From 54e460dfc339c165734b803d6806e57e6d587985 Mon Sep 17 00:00:00 2001 From: Andrew Gallant Date: Tue, 29 Aug 2023 10:20:48 -0400 Subject: [PATCH] ci: add permissions settings --- .github/workflows/ci.yml | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 986bf5e..e06a3ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,16 +6,33 @@ on: - master schedule: - cron: '00 01 * * *' + +# The section is needed to drop write-all permissions that are granted on +# `schedule` event. By specifying any permission explicitly all others are set +# to none. By using the principle of least privilege the damage a compromised +# workflow can do (because of an injection or compromised third party tool or +# action) is restricted. Currently the worklow doesn't need any additional +# permission except for pulling the code. Adding labels to issues, commenting +# on pull-requests, etc. may need additional permissions: +# +# Syntax for this section: +# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +# +# Reference for how to assign permissions on a job-by-job basis: +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# +# Reference for available permissions that we can enable if needed: +# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token +permissions: + # to fetch code (actions/checkout) + contents: read + jobs: test: name: test runs-on: ${{ matrix.os }} strategy: matrix: - # The docs seem to suggest that we can have a matrix with just an - # include directive, but it results in a "matrix must define at least - # one vector" error in the CI system. - build: [pinned, stable, beta, nightly, macos, win-msvc, win-gnu] include: - build: pinned os: ubuntu-latest