[StepSecurity] ci: Restrict token permissions to harden GitHub Actions (

#2483) * Restrict token permissions as identified by https://app.stepsecurity.io/. Signed-off-by: StepSecurity Bot <[email protected]>
scikit-hep · May 25, 2024 · cdd404a · cdd404a
1 parent e6e6647
commit cdd404a
Show file tree

Hide file tree

Showing 12 changed files with 45 additions and 0 deletions.
diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
@@ -33,8 +33,13 @@ on:
         description: 'Perform a dry run to check'
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   bump-version:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-latest
     if: github.repository == 'scikit-hep/pyhf'
 

diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,6 +15,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -15,8 +15,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/analyze to upload SARIF results
     name: Analyze
     runs-on: ubuntu-latest
 

diff --git a/.github/workflows/dependencies-head.yml b/.github/workflows/dependencies-head.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   release-candidates:
 

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     name: Build, test, and publish Docker images to Docker Hub

diff --git a/.github/workflows/lower-bound-requirements.yml b/.github/workflows/lower-bound-requirements.yml
@@ -6,6 +6,9 @@ on:
   - cron:  '1 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   test:
 

diff --git a/.github/workflows/merged.yml b/.github/workflows/merged.yml
@@ -5,6 +5,9 @@ on:
     types: [closed]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   binder:
     name: Trigger Binder build

diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   test:
 

diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
@@ -25,6 +25,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build Python distribution

diff --git a/.github/workflows/release_tests.yml b/.github/workflows/release_tests.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   pypi_release:

diff --git a/.github/workflows/semantic-pr-check.yml b/.github/workflows/semantic-pr-check.yml
@@ -11,9 +11,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   main:
 
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
     name: Validate PR title
     runs-on: ubuntu-latest