Principle of least privilege for workflow tokens (#3360)

4 months ago · 6215747563
5 changed files with 23 additions and 0 deletions
--- a/.github/workflows/build-frontends.yml
+++ b/.github/workflows/build-frontends.yml
@ -6,6 +6,9 @@ on:
				@@ -6,6 +6,9 @@ on:
  pull_request:
    branches: [ master, release/** ]

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
--- a/.github/workflows/build-ilspy.yml
+++ b/.github/workflows/build-ilspy.yml
@ -6,8 +6,13 @@ on:
				@@ -6,8 +6,13 @@ on:
  pull_request:
    branches: [ master, release/** ]

+permissions:
+  contents: read
+
 jobs:
  Build:
+    permissions:
+      packages: write  # for dotnet nuget push
    runs-on: windows-2022
    strategy:
      fail-fast: false
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -6,8 +6,15 @@ on:
				@@ -6,8 +6,15 @@ on:
  pull_request:
    branches: [ master, release/** ]

+permissions:
+  contents: read
+
 jobs:
  analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
+      
    name: Analyze
    runs-on: ubuntu-latest

--- a/.github/workflows/generate-bom.yml
+++ b/.github/workflows/generate-bom.yml
@ -3,6 +3,9 @@ name: Generate BOM
				@@ -3,6 +3,9 @@ name: Generate BOM
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  build:

--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@ -4,8 +4,13 @@ on:
				@@ -4,8 +4,13 @@ on:
  schedule:
    - cron: '0 0 * * *'

+permissions:
+  contents: read
+
 jobs:
  lock:
+    permissions:
+      issues: write  # for dessant/lock-threads to lock issues
    runs-on: ubuntu-latest
    steps:
      - uses: dessant/lock-threads@v5.0.1