Set permissions for GitHub actions

Restrict the GitHub token permissions only to the required ones; this
way, even if the attackers will succeed in compromising your workflow,
they won’t be able to do much.

- Included permissions for the action.

https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests
https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>

Closes gh-11367
This commit is contained in:
naveen 2022-06-12 00:31:28 +00:00 committed by Steve Riesenberg
parent a996dfc55b
commit 8c634f8a9d
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
7 changed files with 21 additions and 0 deletions

View File

@ -5,6 +5,9 @@ on:
- cron: '0 10 * * *' # Once per day at 10am UTC
workflow_dispatch: # Manual trigger
permissions:
contents: read
jobs:
update:
name: Update Algolia Index

View File

@ -10,6 +10,9 @@ on:
env:
GH_ACTIONS_REPO_TOKEN: ${{ secrets.GH_ACTIONS_REPO_TOKEN }}
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest

View File

@ -3,8 +3,13 @@ on:
schedule:
- cron: '0 10 * * *' # Once per day at 10am UTC
permissions:
contents: read
jobs:
main:
permissions:
contents: none
runs-on: ubuntu-latest
steps:
- name: Delete artifacts in cron job

View File

@ -232,6 +232,8 @@ jobs:
DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
DOCS_HOST: ${{ secrets.DOCS_HOST }}
perform_release:
permissions:
contents: write # for Git to git push
name: Perform release
needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
runs-on: ubuntu-latest

View File

@ -7,6 +7,9 @@ on:
- cron: '0 10 * * *' # Once per day at 10am UTC
workflow_dispatch: # Manual trigger
permissions:
contents: read
jobs:
deploy:
name: deploy

View File

@ -7,6 +7,8 @@ env:
TITLE: ${{ github.event.milestone.title }}
jobs:
spring-releasetrain-checks:
permissions:
contents: none
name: Check DueOn is on a Release Date
runs-on: ubuntu-latest
steps:

View File

@ -5,6 +5,9 @@ on: pull_request
env:
RUN_JOBS: ${{ github.repository == 'spring-projects/spring-security' }}
permissions:
contents: read
jobs:
build:
name: Build