common: harden GitHub Actions

.github/workflows/docker_rebuild.yml

@@ -23,6 +23,8 @@ env:
   WORKDIR:     utils/docker
   PUSH_IMAGE:  1
 
+permissions: {}
+
 jobs:
   image:
     if: github.repository == 'pmem/pmdk'

.github/workflows/main.yml

@@ -5,6 +5,8 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions: {}
+
 jobs:
   src_checkers:
     name: Source checkers

.github/workflows/nightly.yml

@@ -19,6 +19,8 @@ env:
   PMDK_CXX:       g++
   SRC_CHECKERS:   0
 
+permissions: {}
+
 jobs:
   in-tree:
     name: In-tree

.github/workflows/pmem_benchmark.yml

@@ -10,13 +10,12 @@ on:
         type: string
         default: master
 
+permissions: {}
 
 jobs:
   prep_runtime:
     name: Prepare runtime
     runs-on: [self-hosted, benchmark]
-    permissions:
-      contents: read
     steps:
       - name: Clone the git repo
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -38,8 +37,6 @@ jobs:
             GITHUB_REF: ${{ inputs.reference_ref }}
           - ROLE: rival
             GITHUB_REF: ${{ inputs.rival_ref }}
-    permissions:
-      contents: read
     env:
       MANIFEST: ${{ matrix.ROLE }}/manifest.txt
     steps:

.github/workflows/pmem_ras.yml

@@ -30,6 +30,8 @@ on:
     # run this job every 8 hours
     - cron:  '0 */8 * * *'
 
+permissions: {}
+
 jobs:
   linux:
     name: PMEM_RAS

.github/workflows/pmem_test_matrix.yml

@@ -17,6 +17,8 @@ on:
         type: number
         default: 360 # The jobs.<job_id>.timeout-minutes default.
 
+permissions: {}
+
 jobs:
   job:
     name: ${{ matrix.force_enable }}, ${{ matrix.test_script }}, ${{ matrix.os }}, ${{ matrix.build }}

.github/workflows/pmem_tests.yml

@@ -9,6 +9,8 @@ on:
     # run this job at 18:00 UTC every day
     - cron:  '0 18 * * *'
 
+permissions: {}
+
 jobs:
   # Test the default build with the basic test suite.
   Basic:

.github/workflows/scan_bandit.yml

@@ -9,6 +9,8 @@ env:
   PMREORDER: src/tools/pmreorder/*.py
   CALL_STACKS_ANALYSIS: utils/call_stacks_analysis/*.py
 
+permissions: {}
+
 jobs:
   bandit:
     name: Bandit

.github/workflows/scan_codeql.yml

@@ -4,14 +4,15 @@ name: CodeQL
 on:
   workflow_call:
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     steps:
     - name: Clone the git repo

.github/workflows/scan_coverage.yml

@@ -24,6 +24,8 @@ env:
   TEST_BUILD:   debug
   FAULT_INJECTION: 1
 
+permissions: {}
+
 jobs:
   linux:
     name: Linux

.github/workflows/scan_coverity.yml

@@ -21,6 +21,8 @@ env:
   VALGRIND:     1
   COVERITY:     1
 
+permissions: {}
+
 jobs:
   linux:
     name: Linux

.github/workflows/scan_documentation.yml

@@ -4,6 +4,8 @@ name: Documentation
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   linux:
     name: Documentation

.github/workflows/scan_log_calls.yml

@@ -5,6 +5,7 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions: {}
 
 jobs:
   log-calls:

.github/workflows/scan_stack_usage.yml

@@ -8,6 +8,8 @@ on:
 env:
   CALL_STACKS_TOOLS_PATH: pmdk/utils/call_stacks_analysis
 
+permissions: {}
+
 jobs:
   stack-usage:
     name: Stack usage

.github/workflows/scan_ubsan.yml

@@ -18,6 +18,8 @@ env:
   UBSAN:        1
   FAULT_INJECTION: 1
 
+permissions: {}
+
 jobs:
   linux:
     name: Linux

.github/workflows/scans.yml

@@ -7,13 +7,19 @@ on:
     # run this job at 00:00 UTC every day
     - cron:  '0 0 * * *'
 
+permissions: {}
+
 jobs:
   call-bandit:
     uses: ./.github/workflows/scan_bandit.yml
     name: Bandit
   call-codeql:
     uses: ./.github/workflows/scan_codeql.yml
     name: CodeQL
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
   call-coverity:
     uses: ./.github/workflows/scan_coverity.yml
     secrets:

.github/workflows/ubuntu.yml

@@ -8,6 +8,8 @@ env:
   GITHUB_REPO: pmem/pmdk
   DOCKER_REPO: ghcr.io/pmem/pmdk
 
+permissions: {}
+
 jobs:
   linux:
     name: Linux