CI: Restrict default permissions on GitHub Actions workflows (OSGeo#4942

)
NishantBansal2003 · Jan 14, 2025 · a01bbfa · a01bbfa
1 parent 4af7d72
commit a01bbfa
Show file tree

Hide file tree

Showing 12 changed files with 42 additions and 7 deletions.
diff --git a/.github/workflows/additional_checks.yml b/.github/workflows/additional_checks.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   additional-checks:
     name: Additional checks

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -22,8 +22,9 @@ on:
   release:
     types: [published]
 
-jobs:
+permissions: {}
 
+jobs:
   # Run for push to configured branches and all published releases.
   # Take care of different os.
   # For main branch, created tags are:
@@ -47,6 +48,10 @@ jobs:
           - ubuntu_wxgui
       fail-fast: false
 
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

diff --git a/.github/workflows/gcc.yml b/.github/workflows/gcc.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     name: ${{ matrix.c }} & ${{ matrix.cpp }}

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -14,6 +14,9 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   macos_build:
     name: macOS build

diff --git a/.github/workflows/milestones.yml b/.github/workflows/milestones.yml
@@ -5,12 +5,17 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions: {}
+
 jobs:
   assign-milestone:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      # Retreiving the current milestoone from API instead of github context,
+      # Retrieving the current milestone from API instead of github context,
       # so up-to-date information is used when running after being queued or for reruns
       # Otherwise, the information should be available using
       # ${{ github.event.pull_request.milestone.title }}

diff --git a/.github/workflows/osgeo4w.yml b/.github/workflows/osgeo4w.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     name: ${{ matrix.os }} build and tests

diff --git a/.github/workflows/periodic_update.yml b/.github/workflows/periodic_update.yml
@@ -10,12 +10,18 @@ on:
     # See https://crontab.guru/#32_10_*/100,1-7_*_WED
     - cron: "32 10 */100,1-7 * WED"
 
+permissions: {}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   update-configure:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      pull-requests: write
+
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Create URL to the run output

diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   pytest:
     concurrency:

diff --git a/.github/workflows/python-code-quality.yml b/.github/workflows/python-code-quality.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   python-checks:
     name: Python Code Quality Checks

diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -12,6 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   super-linter:
     name: GitHub Super Linter

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -10,6 +10,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   ubuntu:
     concurrency:

diff --git a/.github/workflows/verify-success.yml b/.github/workflows/verify-success.yml
@@ -45,34 +45,36 @@ on:
         type: string
         required: true
         # Can't escape the handlebars in the description
-        description:
+        description: >-
           In the calling job that defines all the needed jobs,
           send `toJson(needs)` inside `$` followed by `{{ }}`
       fail_if_failure:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context was
           failed
       fail_if_cancelled:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context' was
           cancelled
       fail_if_skipped:
         type: boolean
         default: false
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context' was
           skipped
       require_success:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if no job from 'needs_context' was
           successful
 
+permissions: {}
+
 jobs:
   verify-success:
     name: Success