commit 89c9d0a169cba49882044e081827971ba0b271cb
author Tim Duesterhus <tim@bastelstu.be> Sat Oct 16 18:10:26 2021 +0200
committer Willy Tarreau <w@1wt.eu> Mon Oct 18 07:17:04 2021 +0200
tree fbd1277caeaf06d9a6c5d6a3ff8a07b20edeb522
parent c5aa113d805aa31a59e3a26f5f656b1fa0d526d0

CI: Add `permissions` to GitHub Actions

This change locks down the permissions of the access token in GitHub Actions to
only allow reading the repository contents and nothing else.

see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

.github/workflows/codespell.yml

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index de49f43..61edaeb 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@@ -4,6 +4,9 @@
   schedule:
     - cron: "0 0 * * 2"
 
+permissions:
+  contents: read
+
 jobs:
   codespell:
 

.github/workflows/compliance.yml

diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml
index 9f2bec2..fe6c271 100644
--- a/.github/workflows/compliance.yml
+++ b/.github/workflows/compliance.yml
@@ -5,6 +5,9 @@
   schedule:
     - cron: "0 0 * * 3"
 
+permissions:
+  contents: read
+
 jobs:
   h2spec:
     name: h2spec

.github/workflows/contrib.yml

diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml
index 53f6025..93387a4 100644
--- a/.github/workflows/contrib.yml
+++ b/.github/workflows/contrib.yml
@@ -3,6 +3,9 @@
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   build:
 

.github/workflows/coverity.yml

diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index fd5a0e2..b3dd5ec 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -9,6 +9,9 @@
   schedule:
   - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   scan:
     runs-on: ubuntu-latest

.github/workflows/musl.yml

diff --git a/.github/workflows/musl.yml b/.github/workflows/musl.yml
index 8f69224..19d82af 100644
--- a/.github/workflows/musl.yml
+++ b/.github/workflows/musl.yml
@@ -2,6 +2,9 @@
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   musl:
       name: gcc

.github/workflows/openssl-nodeprecated.yml

diff --git a/.github/workflows/openssl-nodeprecated.yml b/.github/workflows/openssl-nodeprecated.yml
index 6833911..f6da382 100644
--- a/.github/workflows/openssl-nodeprecated.yml
+++ b/.github/workflows/openssl-nodeprecated.yml
@@ -14,6 +14,9 @@
   schedule:
     - cron: "0 0 * * 4"
 
+permissions:
+  contents: read
+
 jobs:
   test:
 

.github/workflows/vtest.yml

diff --git a/.github/workflows/vtest.yml b/.github/workflows/vtest.yml
index 1dc216e..4cdbdce 100644
--- a/.github/workflows/vtest.yml
+++ b/.github/workflows/vtest.yml
@@ -11,6 +11,9 @@
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   # The generate-matrix job generates the build matrix using JSON output
   # generated by .github/matrix.py.

.github/workflows/windows.yml

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index b5a198a..42bb4e8 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -11,6 +11,9 @@
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   msys2:
     name: ${{ matrix.name }}