From 5140adb333138762d1a748691fe9186293cf4b08 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 8 Dec 2022 19:40:24 +0200 Subject: [PATCH 1/2] build: harden ci.yml permissions Signed-off-by: Alex --- .github/workflows/ci.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ac2ace475..f82540da8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,10 @@ on: - master schedule: - cron: '00 01 * * *' + +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test: name: test From c48cd2084ecb6daf5f8418f3f71f94b7b2b8f3b1 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 8 Dec 2022 19:35:40 +0000 Subject: [PATCH 2/2] Update ci.yml --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f82540da8..edf1ccc0a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,14 @@ on: schedule: - cron: '00 01 * * *' +# The section is needed to drop write-all permissions that are granted on `schedule` event. +# By specifying any permission explicitly all others are set to none. +# By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted. +# Currently the worklow doesn't need any additional permission except for pulling the code. +# Adding labels to issues, commenting on pull-requests, etc. may need additional permissions: +# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs +# https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token permissions: contents: read # to fetch code (actions/checkout)