From 27656fb757a8ed057c0f400e9283ab4bd35cc6b5 Mon Sep 17 00:00:00 2001 From: Georg Kunz Date: Wed, 23 Aug 2023 22:01:17 +0200 Subject: [PATCH] [workflows] read-only permissions for GITHUB_TOKEN in all flow Setting read-only permission for all scopes for the GITHUB_TOKEN used in all remaining workflows. This is a part of adopting security best practices of the OpenSSF based on the ScoreCard tool [1] [1] https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions Signed-off-by: Georg Kunz --- .github/workflows/config_coverage.yml | 2 ++ .github/workflows/docker.yml | 2 ++ .github/workflows/pypi.yml | 2 ++ .github/workflows/snap.yml | 2 ++ 4 files changed, 8 insertions(+) diff --git a/.github/workflows/config_coverage.yml b/.github/workflows/config_coverage.yml index fe90d98252..00800ffb8a 100644 --- a/.github/workflows/config_coverage.yml +++ b/.github/workflows/config_coverage.yml @@ -21,6 +21,8 @@ on: # Allow running this job manually from either API or GitHub UI. workflow_dispatch: +permissions: read-all + jobs: checker-config-coverage: name: "Config coverage of checkers" diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a8c1686f98..d0140fdc39 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -5,6 +5,8 @@ on: release: types: [published] +permissions: read-all + jobs: main: runs-on: ubuntu-latest diff --git a/.github/workflows/pypi.yml b/.github/workflows/pypi.yml index bc94e01bb9..70b5129feb 100644 --- a/.github/workflows/pypi.yml +++ b/.github/workflows/pypi.yml @@ -6,6 +6,8 @@ on: release: types: [published] +permissions: read-all + jobs: build: name: Build pypi package diff --git a/.github/workflows/snap.yml b/.github/workflows/snap.yml index 251dcbd7ff..53ce59943e 100644 --- a/.github/workflows/snap.yml +++ b/.github/workflows/snap.yml @@ -5,6 +5,8 @@ on: release: types: [published] +permissions: read-all + jobs: build: name: Build snap package