github: restrict workflow permissions

psafont · psafont · commit b6b9295bbb9e · 2025-02-28T15:13:12.000Z
Removes all default permissions, and only adds needed permissions to the
workflows that need it.

- read contents: allows reading the repository, most workflows need this
- write contents: allows to write to the repository. Needed to create releases
- write pull-requests: allows to manipulate pull requests. Unfortunately this
  is needed to comment on PRs
- read actions: allows reading the state of actions

Signed-off-by: Pau Ruiz Safont &lt;pau.ruizsafont@cloud.com&gt;
diff --git a/.github/workflows/1.249-lcm.yml b/.github/workflows/1.249-lcm.yml
@@ -1,11 +1,16 @@
 name: Build and test (1.249-lcm, scheduled)
 
+permissions: {}
+
 on:
   schedule:
     # run every Monday, this refreshes the cache
     - cron: '13 2 * * 1'
 
 jobs:
+  permissions:
+    contents: read
+
   python-test:
     name: Python tests
     runs-on: ubuntu-20.04
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,10 +1,15 @@
 name: Generate and upload docs
 
+permissions: {}
+
 on:
   push:
     branches: master
 
 jobs:
+  permissions:
+    contents: read
+
   ocaml:
     name: Docs
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -1,5 +1,7 @@
 name: Check format
 
+permissions: {}
+
 on:
   pull_request:
     branches:
@@ -9,6 +11,9 @@ on:
   merge_group:
 
 jobs:
+  permissions:
+    contents: read
+
   ocaml-format:
     name: Ocaml files
     runs-on: ubuntu-latest
diff --git a/.github/workflows/generate-and-build-sdks.yml b/.github/workflows/generate-and-build-sdks.yml
@@ -1,5 +1,7 @@
 name: Generate and Build SDKs
 
+permissions: {}
+
 on:
   workflow_call:
     inputs:
@@ -8,6 +10,9 @@ on:
         type: string
 
 jobs:
+  permissions:
+    contents: read
+
   generate-sdk-sources:
     name: Generate SDK sources
     runs-on: ubuntu-22.04
@@ -25,7 +30,7 @@ jobs:
         run: opam exec -- make sdk
 
       # sdk-ci runs some Go unit tests.
-      # This setting ensures that SDK date time 
+      # This setting ensures that SDK date time
       # tests are run on a machine that
       # isn't using UTC
       - name: Set Timezone to Tokyo for datetime tests
@@ -120,9 +125,9 @@ jobs:
           distribution: 'temurin'
 
       # Java Tests are run at compile time.
-      # This setting ensures that SDK date time 
+      # This setting ensures that SDK date time
       # tests are run on a machine that
-      # isn't using UTC 
+      # isn't using UTC
       - name: Set Timezone to Tokyo for datetime tests
         run: |
           sudo timedatectl set-timezone Asia/Tokyo
@@ -158,7 +163,7 @@ jobs:
         # All tests builds and pipelines should
         # work on other timezones. This setting ensures that
         # SDK date time tests are run on a machine that
-        # isn't using UTC 
+        # isn't using UTC
       - name: Set Timezone to Tokyo for datetime tests
         shell: pwsh
         run: Set-TimeZone -Id "Tokyo Standard Time"
diff --git a/.github/workflows/hugo.yml b/.github/workflows/hugo.yml
@@ -1,10 +1,15 @@
 name: Generate and upload Hugo docs
 
+permissions: {}
+
 on:
   push:
     branches: master
 
 jobs:
+  permissions:
+    contents: read
+
   ocaml:
     name: Docs
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,5 +1,7 @@
 name: Build and test
 
+permissions: {}
+
 on:
   # When only Hugo docs change, this workflow is not required:
   push:
@@ -17,6 +19,9 @@ concurrency: # On new push, cancel old workflows from the same PR, branch or tag
   cancel-in-progress: true
 
 jobs:
+  permissions:
+    contents: read
+
   ocaml-tests:
     name: Run OCaml tests
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/other.yml b/.github/workflows/other.yml
@@ -1,5 +1,7 @@
 name: Build and test (other)
 
+permissions: {}
+
 on:
   # When only Hugo docs change, this workflow is not required:
   push:
@@ -17,6 +19,10 @@ concurrency: # On new push, cancel old workflows from the same PR, branch or tag
   cancel-in-progress: true
 
 jobs:
+  permissions:
+    contents: read
+    pull-requests: write # allow commenting on the PR
+
   python-test:
     name: Python tests
     runs-on: ubuntu-22.04
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,11 +1,16 @@
 name: Create release from tag
 
+permissions: {}
+
 on:
   push:
     tags:
       - "v*"
 
 jobs:
+  permissions:
+    contents: read
+
   build-python:
     name: Build and upload Python artifacts
     runs-on: ubuntu-latest
@@ -40,6 +45,9 @@ jobs:
       xapi_version: ${{ github.ref_name }}
 
   release:
+  permissions:
+    contents: write # allow creating a release
+
     name: "Create and package release"
     runs-on: ubuntu-latest
     needs: [build-python, build-sdks]
diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml
@@ -1,5 +1,7 @@
 name: ShellCheck
 
+permissions: {}
+
 on:
   pull_request:
   merge_group:
@@ -16,8 +18,11 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
+      actions: read
+      contents: read
+      pull-requests: write # allow commenting on the PR
       security-events: write
-    
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
