This change locks down the permissions of the access token in GitHub Actions to
only allow reading the repository contents and nothing else.
see
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
---
.github/workflows/codespell.yml| 3 +++
.github/workflows/compliance.yml | 3 +++
.github/workflows/contrib.yml | 3 +++
.github/workflows/coverity.yml | 3 +++
.github/workflows/musl.yml | 3 +++
.github/workflows/openssl-nodeprecated.yml | 3 +++
.github/workflows/vtest.yml| 3 +++
.github/workflows/windows.yml | 3 +++
8 files changed, 24 insertions(+)
diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index de49f4343..61edaeb9e 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -4,6 +4,9 @@ on:
schedule:
- cron: "0 0 * * 2"
+permissions:
+ contents: read
+
jobs:
codespell:
diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
index 9f2bec289..fe6c2711e 100644
--- a/.github/workflows/compliance.yml
+++ b/.github/workflows/compliance.yml
@@ -5,6 +5,9 @@ on:
schedule:
- cron: "0 0 * * 3"
+permissions:
+ contents: read
+
jobs:
h2spec:
name: h2spec
diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml
index 53f6025ca..93387a458 100644
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -3,6 +3,9 @@ name: Contrib
on:
push:
+permissions:
+ contents: read
+
jobs:
build:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index fd5a0e2d2..b3dd5ec52 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -9,6 +9,9 @@ on:
schedule:
- cron: "0 0 * * *"
+permissions:
+ contents: read
+
jobs:
scan:
runs-on: ubuntu-latest
diff --git a/.github/workflows/musl.yml b/.github/workflows/musl.yml
index 8f6922486..19d82af7c 100644
--- a/.github/workflows/musl.yml
+++ b/.github/workflows/musl.yml
@@ -2,6 +2,9 @@ name: alpine/musl
on: [push]
+permissions:
+ contents: read
+
jobs:
musl:
name: gcc
diff --git a/.github/workflows/openssl-nodeprecated.yml
b/.github/workflows/openssl-nodeprecated.yml
index 6833911e4..f6da38234 100644
--- a/.github/workflows/openssl-nodeprecated.yml
+++ b/.github/workflows/openssl-nodeprecated.yml
@@ -14,6 +14,9 @@ on:
schedule:
- cron: "0 0 * * 4"
+permissions:
+ contents: read
+
jobs:
test:
diff --git a/.github/workflows/vtest.yml b/.github/workflows/vtest.yml
index 1dc216eeb..4cdbdce5b 100644
--- a/.github/workflows/vtest.yml
+++ b/.github/workflows/vtest.yml
@@ -11,6 +11,9 @@ name: VTest
on:
push:
+permissions:
+ contents: read
+
jobs:
# The generate-matrix job generates the build matrix using JSON output
# generated by .github/matrix.py.
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index b5a198aff..42bb4e8c9 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -11,6 +11,9 @@ name: Windows
on:
push:
+permissions:
+ contents: read
+
jobs:
msys2:
name: ${{ matrix.name }}
--
2.33.0