From 43b185e1c1b011792770ebcacdc68ca7d58ee291 Mon Sep 17 00:00:00 2001 From: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Date: Mon, 4 Jul 2022 01:19:58 +0000 Subject: [PATCH] chore: Set permissions for GitHub actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> --- .github/workflows/lint.yml | 3 +++ .github/workflows/release-drafter.yml | 6 ++++++ .github/workflows/test-cygwin.yml | 2 ++ .github/workflows/test-docker.yml | 5 +++++ .github/workflows/test-mingw.yml | 5 +++++ .github/workflows/test-valgrind.yml | 3 +++ .github/workflows/test-windows.yml | 5 +++++ .github/workflows/test.yml | 5 +++++ .github/workflows/tidelift.yml | 3 +++ 9 files changed, 37 insertions(+) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4540fb5af..527f26d35 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,6 +2,9 @@ name: Lint on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index ad66117b1..7ee76c4ac 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -7,8 +7,14 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: update_release_draft: + permissions: + contents: write # for release-drafter/release-drafter to create a github release + pull-requests: write # for release-drafter/release-drafter to add label to PR if: github.repository == 'python-pillow/Pillow' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/test-cygwin.yml b/.github/workflows/test-cygwin.yml index 2e8fc9c09..417b1f212 100644 --- a/.github/workflows/test-cygwin.yml +++ b/.github/workflows/test-cygwin.yml @@ -99,6 +99,8 @@ jobs: name: Cygwin Python 3.${{ matrix.python-minor-version }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Cygwin Test Successful diff --git a/.github/workflows/test-docker.yml b/.github/workflows/test-docker.yml index 2b4dc6b52..a78972607 100644 --- a/.github/workflows/test-docker.yml +++ b/.github/workflows/test-docker.yml @@ -2,6 +2,9 @@ name: Test Docker on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: @@ -82,6 +85,8 @@ jobs: name: ${{ matrix.docker }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Docker Test Successful diff --git a/.github/workflows/test-mingw.yml b/.github/workflows/test-mingw.yml index 7b5cc8a97..7ddb71e1f 100644 --- a/.github/workflows/test-mingw.yml +++ b/.github/workflows/test-mingw.yml @@ -2,6 +2,9 @@ name: Test MinGW on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: runs-on: windows-latest @@ -77,6 +80,8 @@ jobs: CODECOV_NAME: ${{ matrix.name }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: MinGW Test Successful diff --git a/.github/workflows/test-valgrind.yml b/.github/workflows/test-valgrind.yml index 21a2b469e..013e5ca4a 100644 --- a/.github/workflows/test-valgrind.yml +++ b/.github/workflows/test-valgrind.yml @@ -13,6 +13,9 @@ on: - "**.h" workflow_dispatch: +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/test-windows.yml b/.github/workflows/test-windows.yml index 358461b38..b9accfdf9 100644 --- a/.github/workflows/test-windows.yml +++ b/.github/workflows/test-windows.yml @@ -2,6 +2,9 @@ name: Test Windows on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: runs-on: windows-latest @@ -189,6 +192,8 @@ jobs: path: dist\*.whl success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Windows Test Successful diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d41f4b571..5614ad5f2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -2,6 +2,9 @@ name: Test on: [push, pull_request, workflow_dispatch] +permissions: + contents: read + jobs: build: @@ -109,6 +112,8 @@ jobs: CODECOV_NAME: ${{ matrix.os }} Python ${{ matrix.python-version }} success: + permissions: + contents: none needs: build runs-on: ubuntu-latest name: Test Successful diff --git a/.github/workflows/tidelift.yml b/.github/workflows/tidelift.yml index 9a3192f9d..c73f25431 100644 --- a/.github/workflows/tidelift.yml +++ b/.github/workflows/tidelift.yml @@ -12,6 +12,9 @@ on: - ".github/workflows/tidelift.yml" workflow_dispatch: +permissions: + contents: read + jobs: build: if: github.repository_owner == 'python-pillow'