luo980/curl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

GHA: clarify workflows permissions, set least possible privilege

Browse Source 
Set top-level permissions to None on all workflows, setting per-job
permissions. This avoids that new jobs inherit unwanted permissions.

Discussion: https://curl.se/mail/lib-2022-11/0028.html

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>

Closes #9928
This commit is contained in:
Diogo Teles Sant'Anna 2022-11-16 11:55:33 -03:00 committed by Daniel Stenberg
parent 8fc2423338
commit a2f5a4ca6f
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2
14 changed files with 33 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/workflows/appveyor-status.yml vendored
View File

@ -11,13 +11,14 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }} group: ${{ github.workflow }}-${{ github.event.sha }}-${{ github.event.target_url }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
statuses: write
jobs: jobs:
split: split:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.event.sender.login == 'appveyor[bot]' }} if: ${{ github.event.sender.login == 'appveyor[bot]' }}
permissions:
statuses: write
steps: steps:
- name: Create individual AppVeyor build statuses - name: Create individual AppVeyor build statuses
if: ${{ github.event.sha && github.event.target_url }} if: ${{ github.event.sha && github.event.target_url }}

5
.github/workflows/codeql-analysis.yml vendored
View File

@ -18,12 +18,13 @@ on:
concurrency: concurrency:
group: ${{ github.workflow }} group: ${{ github.workflow }}
permissions: permissions: {}
security-events: write
jobs: jobs:
codeql: codeql:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
security-events: write
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@v3

2
.github/workflows/fuzz.yml vendored
View File

@ -17,6 +17,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
fuzzing: fuzzing:
runs-on: ubuntu-latest runs-on: ubuntu-latest

9
.github/workflows/hacktoberfest-accepted.yml vendored
View File

@ -14,16 +14,17 @@ concurrency:
# this should not run in parallel, so just run one at a time # this should not run in parallel, so just run one at a time
group: ${{ github.workflow }} group: ${{ github.workflow }}
permissions: permissions: {}
# requires issues AND pull-requests write permissions to edit labels on PRs!
issues: write
pull-requests: write
jobs: jobs:
# add hacktoberfest-accepted label to PRs opened starting from September 30th # add hacktoberfest-accepted label to PRs opened starting from September 30th
# till November 1st which are closed via commit reference from master branch. # till November 1st which are closed via commit reference from master branch.
merged: merged:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
# requires issues AND pull-requests write permissions to edit labels on PRs!
issues: write
pull-requests: write
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
with: with:

2
.github/workflows/linkcheck.yml vendored
View File

@ -23,6 +23,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
# Docs: https://github.com/marketplace/actions/markdown-link-check # Docs: https://github.com/marketplace/actions/markdown-link-check
check: check:

2
.github/workflows/linux.yml vendored
View File

@ -17,6 +17,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
autotools: autotools:
name: ${{ matrix.build.name }} name: ${{ matrix.build.name }}

2
.github/workflows/macos.yml vendored
View File

@ -17,6 +17,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
autotools: autotools:
name: ${{ matrix.build.name }} name: ${{ matrix.build.name }}

2
.github/workflows/ngtcp2-gnutls.yml vendored
View File

@ -18,6 +18,8 @@ concurrency:
group: ngtcp2-gnutls-${{ github.event.pull_request.number || github.sha }} group: ngtcp2-gnutls-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
autotools: autotools:
name: ${{ matrix.build.name }} name: ${{ matrix.build.name }}

2
.github/workflows/ngtcp2-wolfssl.yml vendored
View File

@ -18,6 +18,8 @@ concurrency:
group: ngtcp2-wolfssl-${{ github.event.pull_request.number || github.sha }} group: ngtcp2-wolfssl-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
autotools: autotools:
name: ${{ matrix.build.name }} name: ${{ matrix.build.name }}

2
.github/workflows/proselint.yml vendored
View File

@ -23,6 +23,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
check: check:
runs-on: ubuntu-latest runs-on: ubuntu-latest

2
.github/workflows/reuse.yml vendored
View File

@ -18,6 +18,8 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
check: check:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/spellcheck.yml vendored
View File

@ -21,10 +21,11 @@ on:
- '**.1' - '**.1'
- '.github/**' - '.github/**'
permissions: {}
jobs: jobs:
check: check:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2

2
.github/workflows/torture.yml vendored
View File

@ -18,6 +18,8 @@ concurrency:
group: torture-${{ github.event.pull_request.number || github.sha }} group: torture-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
autotools: autotools:
name: ${{ matrix.build.name }} name: ${{ matrix.build.name }}

2
.github/workflows/wolfssl.yml vendored
View File

@ -18,6 +18,8 @@ concurrency:
group: wolfssl-${{ github.event.pull_request.number || github.sha }} group: wolfssl-${{ github.event.pull_request.number || github.sha }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
autotools: autotools:
name: ${{ matrix.build.name }} name: ${{ matrix.build.name }}