From 6215747563c3a7d21adfd7336f114f41e56d2b8b Mon Sep 17 00:00:00 2001 From: Christoph Wille Date: Fri, 3 Jan 2025 16:23:03 +0100 Subject: [PATCH] Principle of least privilege for workflow tokens (#3360) --- .github/workflows/build-frontends.yml | 3 +++ .github/workflows/build-ilspy.yml | 5 +++++ .github/workflows/codeql-analysis.yml | 7 +++++++ .github/workflows/generate-bom.yml | 3 +++ .github/workflows/lock.yml | 5 +++++ 5 files changed, 23 insertions(+) diff --git a/.github/workflows/build-frontends.yml b/.github/workflows/build-frontends.yml index 2ebe5fd40..d9abeabe5 100644 --- a/.github/workflows/build-frontends.yml +++ b/.github/workflows/build-frontends.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ master, release/** ] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/build-ilspy.yml b/.github/workflows/build-ilspy.yml index 51c2b595c..f5edfdc97 100644 --- a/.github/workflows/build-ilspy.yml +++ b/.github/workflows/build-ilspy.yml @@ -6,8 +6,13 @@ on: pull_request: branches: [ master, release/** ] +permissions: + contents: read + jobs: Build: + permissions: + packages: write # for dotnet nuget push runs-on: windows-2022 strategy: fail-fast: false diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1886a05af..f7cd2250c 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -6,8 +6,15 @@ on: pull_request: branches: [ master, release/** ] +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + security-events: write # for github/codeql-action/analyze to upload SARIF results + name: Analyze runs-on: ubuntu-latest diff --git a/.github/workflows/generate-bom.yml b/.github/workflows/generate-bom.yml index 5cfafea63..44cf80453 100644 --- a/.github/workflows/generate-bom.yml +++ b/.github/workflows/generate-bom.yml @@ -3,6 +3,9 @@ name: Generate BOM on: workflow_dispatch: +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index 3bc404b70..4ef571260 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -4,8 +4,13 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: lock: + permissions: + issues: write # for dessant/lock-threads to lock issues runs-on: ubuntu-latest steps: - uses: dessant/lock-threads@v5.0.1