Explicit permissions for github actions

To improve OSSF Scorecard score on Scorecard repo
2024-09-17 11:57:12 +03:00 · 2022-03-28 15:59:41 -04:00 · 2022-03-28 15:59:41 -04:00 · 682e6ea176
commit 682e6ea176
parent 007156b1d3
4 changed files with 16 additions and 4 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -35,11 +35,13 @@ on:
      
 permissions:
  contents: read
-  statuses: write
-  security-events: write

 jobs:
  analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
    name: Analyze
    runs-on: ubuntu-latest

--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+permissions:
+  contents: read
+
 name: docker-build
 on: 
 push:
--- a/.github/workflows/goreleaser.yaml
+++ b/.github/workflows/goreleaser.yaml
@ -19,11 +19,14 @@ on:
    tags:
      - "*" # triggers only if push new tag version, like `0.8.4` or else

+permissions:
+  contents: read
+
 jobs:
  goreleaser:
-    runs-on: ubuntu-latest
    permissions:
-     contents: write
+      contents: write  # for goreleaser/goreleaser-action to create a GitHub release
+    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@bdb12b622a910dfdc99a31fdfe6f45a16bc287a4 # v1
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -13,6 +13,10 @@
 # limitations under the License.

 name: build
+
+permissions:
+  contents: read
+  
 on:
  push:
    branches: