add permissions (restrictions) to GitHub actions

follow principle of least privilege
fohrloop · Jan 22, 2024 · efb981d · efb981d
1 parent 7640071
commit efb981d
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/.github/workflows/tests-linux.yml b/.github/workflows/tests-linux.yml
@@ -4,6 +4,22 @@ name: Run tests (Linux)
 'on':  
   [workflow_dispatch]
 
+# See: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions:
+  actions: write
+  checks: none
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: read
+  statuses: none
+
 # Cancel in-progress jobs/runs for the same workflow; if you push to same
 # pull request twice, the previous workflow should be canceled.
 # From: https://docs.github.com/en/actions/using-jobs/using-concurrency#example-only-cancel-in-progress-jobs-or-runs-for-the-current-workflow

diff --git a/.github/workflows/tests-mac.yml b/.github/workflows/tests-mac.yml
@@ -4,6 +4,22 @@ name: Run tests (Mac)
 on:  
   [workflow_dispatch]
 
+# See: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions:
+  actions: write
+  checks: none
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: read
+  statuses: none
+
 # Cancel in-progress jobs/runs for the same workflow; if you push to same
 # pull request twice, the previous workflow should be canceled.
 # From: https://docs.github.com/en/actions/using-jobs/using-concurrency#example-only-cancel-in-progress-jobs-or-runs-for-the-current-workflow

diff --git a/.github/workflows/tests-win.yml b/.github/workflows/tests-win.yml
@@ -4,6 +4,22 @@ name: Run tests (Win)
 on:  
   [workflow_dispatch]
 
+# See: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions:
+  actions: write
+  checks: none
+  contents: read
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: read
+  statuses: none
+
 # Cancel in-progress jobs/runs for the same workflow; if you push to same
 # pull request twice, the previous workflow should be canceled.
 # From: https://docs.github.com/en/actions/using-jobs/using-concurrency#example-only-cancel-in-progress-jobs-or-runs-for-the-current-workflow