[StepSecurity] ci: Harden GitHub Actions (#201)

2024-11-21 20:00:12 +00:00 · 2024-09-10 19:04:05 -07:00 · 2024-09-10 19:04:05 -07:00 · df49cb21f4
commit df49cb21f4
parent 36850d14da
3 changed files with 12 additions and 1 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -19,13 +19,18 @@ on:
  schedule:
    - cron: '34 18 * * 6'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze (C/C++)
    runs-on: windows-latest
    timeout-minutes: 360
    permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
      packages: read

    steps:
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -17,6 +17,9 @@ on:
      - build/*.ps1
      - build/*.yml

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -17,6 +17,9 @@ on:
      - build/*.ps1
      - build/*.yml

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}