From cd83d2b4117ae51a19d66b605f6e2c7071cf6e6d Mon Sep 17 00:00:00 2001
From: Peter Colberg <peter.colberg@intel.com>
Date: Wed, 18 Sep 2024 17:45:39 -0400
Subject: [PATCH] .github: workflows: restrict top-level workflow permissions

Only permit reading the repository contents by default, and set further
privileges at the job level to satisfy OpenSSF Scorecard criteria.

Link: https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
Link: https://securityscorecards.dev/viewer/?uri=github.com/OFS/opae-sdk
Signed-off-by: Peter Colberg <peter.colberg@intel.com>
---
 .github/workflows/build-debs.yml             | 4 ++++
 .github/workflows/build-rpms.yml             | 4 ++++
 .github/workflows/ccpp-tests.yml             | 4 ++++
 .github/workflows/docker-rpm.yml             | 4 ++++
 .github/workflows/no-ccpp-tests.yml          | 4 ++++
 .github/workflows/no-python-analysis.yml     | 4 ++++
 .github/workflows/pacsign.yml                | 4 ++++
 .github/workflows/python-static-analysis.yml | 4 ++++
 .github/workflows/valgrind.yml               | 3 +++
 9 files changed, 35 insertions(+)

diff --git a/.github/workflows/build-debs.yml b/.github/workflows/build-debs.yml
index 18f674a6afcf..aa7ac4b980ef 100644
--- a/.github/workflows/build-debs.yml
+++ b/.github/workflows/build-debs.yml
@@ -1,5 +1,9 @@
 name: Build DEBs
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/build-rpms.yml b/.github/workflows/build-rpms.yml
index 9bba76e09699..8a4d375c66fc 100644
--- a/.github/workflows/build-rpms.yml
+++ b/.github/workflows/build-rpms.yml
@@ -1,5 +1,9 @@
 name: Build RPMs
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/ccpp-tests.yml b/.github/workflows/ccpp-tests.yml
index e2126f622dc8..481a4a98b985 100644
--- a/.github/workflows/ccpp-tests.yml
+++ b/.github/workflows/ccpp-tests.yml
@@ -1,5 +1,9 @@
 name: C/C++ CI Build and Test
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/docker-rpm.yml b/.github/workflows/docker-rpm.yml
index 96b407656f0c..a46565888984 100644
--- a/.github/workflows/docker-rpm.yml
+++ b/.github/workflows/docker-rpm.yml
@@ -1,5 +1,9 @@
 name: Docker Build and Review RPM
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches-ignore:
diff --git a/.github/workflows/no-ccpp-tests.yml b/.github/workflows/no-ccpp-tests.yml
index 059daddd47ba..a3595d6c356e 100644
--- a/.github/workflows/no-ccpp-tests.yml
+++ b/.github/workflows/no-ccpp-tests.yml
@@ -1,5 +1,9 @@
 name: C/C++ CI Build and Test (dummy)
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/no-python-analysis.yml b/.github/workflows/no-python-analysis.yml
index daeb11fe3f44..f460a3036dd8 100644
--- a/.github/workflows/no-python-analysis.yml
+++ b/.github/workflows/no-python-analysis.yml
@@ -1,5 +1,9 @@
 name: python static analysis (dummy)
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
diff --git a/.github/workflows/pacsign.yml b/.github/workflows/pacsign.yml
index d36f9edaa94e..f82426913d0b 100644
--- a/.github/workflows/pacsign.yml
+++ b/.github/workflows/pacsign.yml
@@ -1,5 +1,9 @@
 name: Python pacsign tests
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths: 
diff --git a/.github/workflows/python-static-analysis.yml b/.github/workflows/python-static-analysis.yml
index 2cd3c68c6911..9216ad5ea284 100644
--- a/.github/workflows/python-static-analysis.yml
+++ b/.github/workflows/python-static-analysis.yml
@@ -1,5 +1,9 @@
 name: python static analysis
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml
index def6700c2942..626520850453 100644
--- a/.github/workflows/valgrind.yml
+++ b/.github/workflows/valgrind.yml
@@ -1,5 +1,8 @@
 name: valgrind OPAE tests
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
 
 on:
   schedule: