github: Minimize permissions granted to automated workflows / jobs

Jobs that use the GITHUB_TOKEN to perform sensitive actions on behalf of a real user may be granted a range of permissions. Instead of granting blanket permissions to read and write "all" APIs, we should really limit the permissions what any individual workflow or job can do. This commit sets the default permissions for each workflow to "contents: read", which allows jobs to only read from the repository. The one job that requires additional permission is our "tagged_release" job which additional requires write access. Link: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions Link: #317 Signed-off-by: Jason Gerecke <[email protected]>
linuxwacom · Nov 29, 2023 · 0e060fb · 0e060fb
1 parent d212d14
commit 0e060fb
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 0 deletions.
diff --git a/.github/workflows/checkpatch.yml b/.github/workflows/checkpatch.yml
@@ -4,6 +4,9 @@ on:
     - '3.17/**'
     - '4.5/**'
 
+permissions:
+  contents: read
+
 jobs:
   checkpatch:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,5 +1,8 @@
 on: [ push, pull_request ]
 
+permissions:
+  contents: read
+
 env:
   COMPILE_CFLAGS: -Werror
   PREPARE_CFLAGS:

diff --git a/.github/workflows/tagged-release.yml b/.github/workflows/tagged-release.yml
@@ -6,10 +6,15 @@ on:
     tags:
       - "v*"
 
+permissions:
+  contents: read
+
 jobs:
   tagged-release:
     name: "Tagged Release"
     runs-on: "ubuntu-latest"
+    permissions:
+      contents: write
 
     steps:
       # ...