workflows: Fix security issues

read-all permissions gives access to e.g. security-events, which these don't need, and can easily lead to leaks Co-Authored-By: 13x1 <[email protected]> Co-Authored-By: basti564 <[email protected]>
khaneliman · Oct 26, 2024 · 6b8ce4a · 6b8ce4a
1 parent 59aee1c
commit 6b8ce4a
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 4 deletions.
diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
@@ -24,6 +24,9 @@ on:
   pull_request_target:
     types: [opened, ready_for_review, synchronize, reopened, edited]
 
+# We don't need any default GitHub token
+permissions: {}
+
 env:
   OWNERS_FILE: ci/OWNERS
   # Don't do anything on draft PRs

diff --git a/.github/workflows/editorconfig.yml b/.github/workflows/editorconfig.yml
@@ -1,6 +1,8 @@
 name: "Checking EditorConfig"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors

diff --git a/.github/workflows/manual-nixos.yml b/.github/workflows/manual-nixos.yml
@@ -1,6 +1,7 @@
 name: "Build NixOS manual"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

diff --git a/.github/workflows/manual-nixpkgs.yml b/.github/workflows/manual-nixpkgs.yml
@@ -1,6 +1,7 @@
 name: "Build Nixpkgs manual"
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request_target:

diff --git a/.github/workflows/nix-parse.yml b/.github/workflows/nix-parse.yml
@@ -1,6 +1,8 @@
 name: "Check whether nix files are parseable"
 
-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read
 
 on:
   # avoids approving first time contributors