Configure permissions of GITHUB_TOKEN in workflows

per1234 · per1234 · commit bdb66b1369db · 2023-06-23T10:17:49.000-07:00
`GITHUB_TOKEN` is an access token provided automatically by GitHub Actions. The default permissions of this token for
workflow runs in a trusted context (i.e., not triggered by a PR from a fork) are set in the enterprise/organization/
epository's administrative settings, giving it either read-only or write permissions in all scopes.

In the case of a read-only default configuration, any workflow operations that require write permissions would fail with
an error like:

&gt; 403: Resource not accessible by integration

In the case of a write default configuration, workflows have unnecessary permissions, which violates the security
principle of least privilege.

For this reason, GitHub Actions now allows fine grained control of the permissions provided to the token, which are used
here to configure the workflows for only the permissions they require in each job.

The automatic permissions downgrade from write to read for workflows triggered by events generated by a PR from a fork
is unaffected.

Even when all permissions are withheld (`permissions: {}`), the token still provides the authenticated API request rate
limiting allowance, which is a common use of the token in these workflows.

Read permissions are required in the "contents" scope in order to checkout private repositories. Even though those
permissions are not required for this public repository, the standardized "Sync Labels" workflow template is intended to
be applicable in public and private repositories both and so a small excess in permissions was chosen in order to use
the upstream template unmodified.
diff --git a/.github/workflows/compile-examples.yml b/.github/workflows/compile-examples.yml
@@ -23,6 +23,7 @@ on:
 jobs:
   compile-test:
     runs-on: ubuntu-latest
+    permissions: {}
 
     env:
       # sketch paths to compile (recursive) for all boards
diff --git a/.github/workflows/report-size-deltas.yml b/.github/workflows/report-size-deltas.yml
@@ -7,6 +7,8 @@ on:
 jobs:
   report:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
 
     steps:
       - name: Comment size deltas reports to PRs
diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml
@@ -24,6 +24,8 @@ env:
 jobs:
   check:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,6 +57,7 @@ jobs:
   download:
     needs: check
     runs-on: ubuntu-latest
+    permissions: {}
 
     strategy:
       matrix:
@@ -81,6 +84,9 @@ jobs:
   sync:
     needs: download
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
 
     steps:
       - name: Set environment variables
