build: harden GitHub workflow permissions

Grant pull-requests write permission to the labeler workflow and read-only to everything else. Signed-off-by: Alex Low <[email protected]> [ wrap to 80 columns and fix wrong author as requested by author itself ] Signed-off-by: Christian Marangi <[email protected]>
rsalvaterra · Sep 19, 2022 · 7152599 · 7152599
1 parent 412fcf3
commit 7152599
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 0 deletions.
diff --git a/.github/workflows/formal.yml b/.github/workflows/formal.yml
@@ -3,6 +3,9 @@ name: Test Formalities
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test Formalities

diff --git a/.github/workflows/kernel.yml b/.github/workflows/kernel.yml
@@ -7,6 +7,10 @@ on:
       - 'include/kernel-*'
       - 'package/kernel/**'
       - 'target/linux/generic/**'
+
+permissions:
+  contents: read
+
 jobs:
   determine_targets:
     name: Set targets

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
     name: Pull Request Labeler
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
@@ -6,6 +6,9 @@ on:
       - 'tools/**'
       - '.github/workflows/tools.yml'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: tools-${{ matrix.os }}