From 0cb41f5d234a0effc104dc1dc4cc622fbb3e7475 Mon Sep 17 00:00:00 2001
From: Archie Jaskowicz <archiejaskowicz@gmail.com>
Date: Sun, 1 Oct 2023 13:35:40 +0100
Subject: [PATCH] ci: Improved security on workflows. (#903)

---
 .github/labeler.yml                        |  2 +-
 .github/workflows/ci.yml                   | 12 ++++++++++++
 .github/workflows/construct-vcpkg-info.yml |  5 +++++
 .github/workflows/docker.yml               |  6 ++++++
 .github/workflows/documentation-check.yml  |  3 +++
 .github/workflows/documentation.yml        |  5 +++++
 .github/workflows/gitguardian.yml          |  3 +++
 .github/workflows/labeler.yml              |  3 +--
 .github/workflows/sitemap.yml              |  5 +++++
 .github/workflows/stale.yml                |  6 ++++++
 .github/workflows/target-master.yml        |  5 +++++
 .github/workflows/test-docs-examples.yml   |  3 +++
 12 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/.github/labeler.yml b/.github/labeler.yml
index 3ef8f61e00..3624bdd64f 100644
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -25,7 +25,7 @@ packaging:
 - '**Dockerfile'
 submodules:
 - '**.gitmodules'
-github_action:
+github_actions:
 - '**/.github/labeler.yml'
 - '**/.github/dependabot.yml'
 - '**/.github/workflows/**'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3738e1c987..ce2f929288 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,9 +21,13 @@ on:
       - '**ci.yml'
       - '**CMakeLists.txt'
 
+permissions:
+  contents: read
 
 jobs:
   linux-with-unit-test:
+    permissions:
+      contents: write
     concurrency: 
       group: linux-build-unit-test
       cancel-in-progress: false
@@ -66,6 +70,8 @@ jobs:
           TEST_EVENT_ID: ${{secrets.TEST_EVENT_ID}}
 
   linux-no-unit-tests:
+    permissions:
+      contents: write
     name: Linux ${{matrix.cfg.arch}} (${{matrix.cfg.cpp-version}})
     runs-on: ${{matrix.cfg.os}}
     strategy:
@@ -116,6 +122,8 @@ jobs:
           path: '${{github.workspace}}/build/*.rpm'
 
   macos:
+    permissions:
+      contents: write
     name: macOS x64
     runs-on: macos-latest
     steps:
@@ -141,6 +149,8 @@ jobs:
           DONT_RUN_VCPKG: true
 
   windows: # Windows x64 and x86 build matrix
+    permissions:
+      contents: write
     strategy:
       fail-fast: false # Don't cancel other matrix jobs if one fails
       matrix:
@@ -206,6 +216,8 @@ jobs:
           path: '${{github.workspace}}/main/build/*.zip'
 
   cross-compiles:
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/construct-vcpkg-info.yml b/.github/workflows/construct-vcpkg-info.yml
index b82c2979a8..037305b208 100644
--- a/.github/workflows/construct-vcpkg-info.yml
+++ b/.github/workflows/construct-vcpkg-info.yml
@@ -5,8 +5,13 @@ on:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   Collect-Vcpkg-Info:
+    permissions:
+      contents: write # Allow the creation of a release.
     runs-on: ubuntu-latest
     steps:
          - name: Harden Runner
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 6b66bb6c26..8cca4127b2 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -7,8 +7,14 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   docker:
+    permissions:
+      deployments: write # Docker needs to be able to deploy and package.
+      packages: write
     if: github.repository == 'brainboxdotcc/DPP'
     runs-on: ubuntu-latest
     concurrency: 
diff --git a/.github/workflows/documentation-check.yml b/.github/workflows/documentation-check.yml
index 5ac216de0b..b20d89187f 100644
--- a/.github/workflows/documentation-check.yml
+++ b/.github/workflows/documentation-check.yml
@@ -12,6 +12,9 @@ on:
     files:
       - '**/documentation-check.yml'
 
+permissions:
+  contents: read # This only needs to read the contents of a PR.
+
 jobs:
   docs:
     name: Check Documentation Spelling
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index f405656a8b..bf5ad83417 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -9,8 +9,13 @@ on:
       - '**/*.h'
       - '**/documentation.yml'
 
+permissions:
+  contents: read
+
 jobs:
   docs:
+    permissions:
+      contents: write # Needs to be able to write to the repo.
     name: Build Documentation
     runs-on: ubuntu-20.04
 
diff --git a/.github/workflows/gitguardian.yml b/.github/workflows/gitguardian.yml
index 56bd14fd48..b5fa86419b 100644
--- a/.github/workflows/gitguardian.yml
+++ b/.github/workflows/gitguardian.yml
@@ -2,6 +2,9 @@ name: GitGuardian scan
 
 on: [push]
 
+permissions:
+  contents: read # GitGuardian only needs to read.
+
 jobs:
   scanning:
     name: GitGuardian scan
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 2a70c1b9ac..474fe553fe 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -8,8 +8,7 @@ permissions:
 jobs:
   triage:
     permissions:
-      contents: read
-      pull-requests: write
+      pull-requests: write # Labeler needs to be able to add labels to PRs.
     runs-on: ubuntu-latest
     steps:
     - name: Harden Runner
diff --git a/.github/workflows/sitemap.yml b/.github/workflows/sitemap.yml
index baf1518ce4..d0b90e2010 100644
--- a/.github/workflows/sitemap.yml
+++ b/.github/workflows/sitemap.yml
@@ -3,8 +3,13 @@ on:
   schedule:
     - cron: '0 6 * * 6'
 
+permissions:
+  contents: read
+
 jobs:
   updater:
+    permissions:
+      contents: write # Needs to be able to write to the repo.
     name: Generate Sitemap
     if: github.repository == 'brainboxdotcc/DPP'
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index ecb0eed073..8a8fa631ee 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -3,8 +3,14 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  contents: read # By default, only read.
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/target-master.yml b/.github/workflows/target-master.yml
index 6e1f138cce..5871011f6a 100644
--- a/.github/workflows/target-master.yml
+++ b/.github/workflows/target-master.yml
@@ -5,8 +5,13 @@ on:
     branches:
       - 'master'
 
+permissions:
+  contents: read
+
 jobs:
   run:
+    permissions:
+      pull-requests: write # Needs to be able to close a PR.
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/test-docs-examples.yml b/.github/workflows/test-docs-examples.yml
index d517d42b36..042e08d584 100644
--- a/.github/workflows/test-docs-examples.yml
+++ b/.github/workflows/test-docs-examples.yml
@@ -11,6 +11,9 @@ on:
       - '**Doxyfile'
       - '**docpages/example_code/**'
   workflow_dispatch:
+
+permissions:
+  contents: read
     
 jobs:
   test_docs_examples: