Principle of least privilege for workflow tokens (#3360)

4 months ago · 6215747563
5 changed files with 23 additions and 0 deletions
--- a/.github/workflows/build-frontends.yml
+++ b/.github/workflows/build-frontends.yml
@ -6,6 +6,9 @@ on:
  pull_request:
    branches: [ master, release/** ]
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ubuntu-latest
--- a/.github/workflows/build-ilspy.yml
+++ b/.github/workflows/build-ilspy.yml
@ -6,8 +6,13 @@ on:
  pull_request:
    branches: [ master, release/** ]
 permissions:
  contents: read
 jobs:
  Build:
    permissions:
      packages: write  # for dotnet nuget push
    runs-on: windows-2022
    strategy:
      fail-fast: false
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -6,8 +6,15 @@ on:
  pull_request:
    branches: [ master, release/** ]
 permissions:
  contents: read
 jobs:
  analyze:
    permissions:
      actions: read  # for github/codeql-action/init to get workflow details
      security-events: write  # for github/codeql-action/analyze to upload SARIF results
    name: Analyze
    runs-on: ubuntu-latest
--- a/.github/workflows/generate-bom.yml
+++ b/.github/workflows/generate-bom.yml
@ -3,6 +3,9 @@ name: Generate BOM
 on:
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  build:
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@ -4,8 +4,13 @@ on:
  schedule:
    - cron: '0 0 * * *'
 permissions:
  contents: read
 jobs:
  lock:
    permissions:
      issues: write  # for dessant/lock-threads to lock issues
    runs-on: ubuntu-latest
    steps:
      - uses: dessant/lock-threads@v5.0.1