GitHub Workflows security hardening (#3751)

sashashura · web-flow · commit 770acd61bc13 · 2022-09-27T17:31:51.000+03:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,7 @@
 name: CI
 on: workflow_call
+permissions:
+  contents: read
 jobs:
   lint:
     name: Lint source files
@@ -158,6 +160,7 @@ jobs:
     name: Run CodeQL security scan
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
     steps:
       - name: Checkout repo
diff --git a/.github/workflows/cmd-publish-pr-on-npm.yml b/.github/workflows/cmd-publish-pr-on-npm.yml
@@ -10,6 +10,8 @@ on:
       npm_canary_pr_publish_token:
         description: NPM token to publish canary release.
         required: true
+permissions:
+  contents: read
 jobs:
   build-npm-dist:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/cmd-run-benchmark.yml b/.github/workflows/cmd-run-benchmark.yml
@@ -6,6 +6,9 @@ on:
         description: String that contain JSON payload for `pull_request` event.
         required: true
         type: string
+permissions:
+  contents: read # for checkout
+  actions: read # to list workflow runs
 jobs:
   benchmark:
     name: Run benchmark
diff --git a/.github/workflows/deploy-artifact-as-branch.yml b/.github/workflows/deploy-artifact-as-branch.yml
@@ -18,8 +18,11 @@ on:
         description: Commit message
         required: true
         type: string
+permissions: {}
 jobs:
   deploy-artifact-as-branch:
+    permissions:
+      contents: write # to push branch
     environment:
       name: ${{ inputs.environment }}
       url: ${{ github.server_url }}/${{ github.repository }}/tree/${{ inputs.target_branch }}
diff --git a/.github/workflows/github-actions-bot.yml b/.github/workflows/github-actions-bot.yml
@@ -21,8 +21,13 @@ env:
     * `@github-actions run-benchmark` - Run benchmark comparing base and merge commits for this PR
     * `@github-actions publish-pr-on-npm` - Build package from this PR and publish it on NPM
     </details>
+permissions: {}
 jobs:
   hello-message:
+    permissions:
+      actions: read # to download event.json
+      pull-requests: write # to add comment to pull request
+
     if: github.event_name == 'workflow_run'
     runs-on: ubuntu-latest
     steps:
@@ -49,6 +54,9 @@ jobs:
             })
 
   accept-cmd:
+    permissions:
+      pull-requests: write # to add comment to pull request
+
     if: |
       github.event_name == 'issue_comment' &&
       github.event.issue.pull_request &&
@@ -95,6 +103,9 @@ jobs:
       pull_request_json: ${{ needs.accept-cmd.outputs.pull_request_json }}
 
   respond-to-cmd:
+    permissions:
+      pull-requests: write # to add comment to pull request
+
     needs:
       - accept-cmd
       - cmd-publish-pr-on-npm
diff --git a/.github/workflows/mutation-testing.yml b/.github/workflows/mutation-testing.yml
@@ -3,6 +3,10 @@ on:
   workflow_dispatch:
   schedule:
     - cron: '0 0 * * *' # run once every day at 00:00 UTC
+
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   lint:
     name: Run mutation testing
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -1,5 +1,6 @@
 name: Push
 on: push
+permissions: {}
 jobs:
   ci:
     uses: ./.github/workflows/ci.yml
