From 1667a668565562bf2f68ab722b7ef4ad3f08863a Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 24 Sep 2022 08:52:44 +0200 Subject: [PATCH 1/6] build: harden build.yml permissions Signed-off-by: Alex --- .github/workflows/build.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f01cdf4c..fde834d7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -14,6 +14,9 @@ on: env: DOCKERHUB_SLUG: distribution/distribution +permissions: + contents: read # to fetch code (actions/checkout) + jobs: test: runs-on: ubuntu-latest @@ -43,6 +46,9 @@ jobs: directory: ./ build: + permissions: + contents: write # to create GitHub release (softprops/action-gh-release) + runs-on: ubuntu-latest needs: - test From feaa75c5291559059b516d8cd976174558cc06d9 Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 24 Sep 2022 08:52:57 +0200 Subject: [PATCH 2/6] build: harden validate.yml permissions Signed-off-by: Alex --- .github/workflows/validate.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 73e953af..dd0b9845 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -9,6 +9,9 @@ on: - 'v*' pull_request: +permissions: + contents: read # to fetch code (actions/checkout) + jobs: validate: runs-on: ubuntu-latest From 1ca9af0184327ef6ae55e529e54be22e6a90501b Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 24 Sep 2022 08:53:15 +0200 Subject: [PATCH 3/6] build: harden fossa.yml permissions Signed-off-by: Alex --- .github/workflows/fossa.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 56cb3faa..c1432fa0 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -4,6 +4,9 @@ on: - pull_request - push +permissions: + contents: read # to fetch code (actions/checkout) + jobs: scan-license: runs-on: ubuntu-latest From c26fe145ca6693d91b4759e3f15ee487a27aed3c Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 24 Sep 2022 08:56:30 +0200 Subject: [PATCH 4/6] build: harden conformance.yml permissions Signed-off-by: Alex --- .github/workflows/conformance.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 904a5bd7..c28026a4 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -4,6 +4,9 @@ on: pull_request: push: +permissions: + contents: read # to fetch code (actions/checkout) + jobs: run-conformance-test: runs-on: ubuntu-latest From e09a9f2dc2750caa4deb6e98e0204337327fdf87 Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 24 Sep 2022 08:56:40 +0200 Subject: [PATCH 5/6] build: harden e2e.yml permissions Signed-off-by: Alex --- .github/workflows/e2e.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 0b3c67fe..400777a8 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -8,6 +8,9 @@ on: branches: - main +permissions: + contents: read # to fetch code (actions/checkout) + jobs: run-e2e-test: runs-on: ubuntu-latest From 10975deab8078629492cebfe7e177256652eabd0 Mon Sep 17 00:00:00 2001 From: Alex Date: Sat, 24 Sep 2022 08:57:02 +0200 Subject: [PATCH 6/6] build: harden codeql-analysis.yml permissions Signed-off-by: Alex --- .github/workflows/codeql-analysis.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6155a3fe..98b4c4ef 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,8 +20,15 @@ on: schedule: - cron: '41 13 * * 1' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: analyze: + permissions: + contents: read # to fetch code (actions/checkout) + security-events: write # to upload SARIF results (github/codeql-action/analyze) + name: Analyze runs-on: ubuntu-latest