From 3c5f942902de94c7ddc82579027ef342ab14f29f Mon Sep 17 00:00:00 2001 From: naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Tue, 28 Jun 2022 00:30:56 +0000 Subject: [PATCH 1/2] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com> --- .github/workflows/ci.yaml | 2 ++ .github/workflows/cla.yml | 3 +++ .github/workflows/language-reference.yaml | 6 ++++++ .github/workflows/releases.yml | 3 +++ .github/workflows/scaladoc.yaml | 3 +++ 5 files changed, 17 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1b4715146d5c..dcae935b2ef1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -608,6 +608,8 @@ jobs: run: .github/workflows/scripts/triggerUnmanagedCommunityBuild.sh "${{ secrets.BUILD_TOKEN }}" "$THISBUILD_VERSION" publish_release: + permissions: + contents: write # for actions/create-release to create a release runs-on: [self-hosted, Linux] container: image: lampepfl/dotty:2021-03-22 diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index ebe65dfc3cde..342e3bd53d0f 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -4,6 +4,9 @@ on: push: branches: - 'language-reference-backport' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/language-reference.yaml b/.github/workflows/language-reference.yaml index 6aeb174738a2..58025c7e7993 100644 --- a/.github/workflows/language-reference.yaml +++ b/.github/workflows/language-reference.yaml @@ -9,8 +9,14 @@ on: - 'language-reference-stable' workflow_dispatch: +permissions: + contents: read + jobs: build-and-push: + permissions: + contents: write # for Git to git push + pull-requests: write # for peter-evans/create-pull-request to create a PR runs-on: ubuntu-latest steps: - name: Get current date diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml index 820843778428..7420b2e2c621 100644 --- a/.github/workflows/releases.yml +++ b/.github/workflows/releases.yml @@ -2,6 +2,9 @@ name: Releases on: workflow_dispatch: +permissions: + contents: read + jobs: publish_release: runs-on: [self-hosted, Linux] diff --git a/.github/workflows/scaladoc.yaml b/.github/workflows/scaladoc.yaml index eb2da5c363ae..d5135aed3483 100644 --- a/.github/workflows/scaladoc.yaml +++ b/.github/workflows/scaladoc.yaml @@ -7,6 +7,9 @@ on: pull_request: branches-ignore: - 'language-reference-stable' +permissions: + contents: read + jobs: build: env: From 1d9559adf0bb507899c181c0c052b0cc1ee75463 Mon Sep 17 00:00:00 2001 From: Naveen <172697+naveensrinivasan@users.noreply.github.com> Date: Mon, 4 Jul 2022 12:33:35 -0500 Subject: [PATCH 2/2] Update cla.yml --- .github/workflows/cla.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 342e3bd53d0f..175841b8edfa 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -5,7 +5,8 @@ on: branches: - 'language-reference-backport' permissions: - contents: read + contents: write + pull-requests: write jobs: check: