From c708961b45ec451fbe3aea8e37eae2a7791996ba Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 10 Sep 2024 19:04:20 -0700 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#473) --- .github/workflows/codeql.yml | 7 ++++++- .github/workflows/main.yml | 3 +++ .github/workflows/test.yml | 3 +++ .github/workflows/vcpkg.yml | 3 +++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e49199b7..359e383c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,13 +23,18 @@ on: schedule: - cron: '31 2 * * 5' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) runs-on: windows-latest timeout-minutes: 360 permissions: - security-events: write + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report packages: read strategy: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a89cc740..6dfc3f9d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,6 +21,9 @@ on: - build/*.targets - build/*.yml +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fb559d28..86fbf518 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,6 +21,9 @@ on: - build/*.targets - build/*.yml +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/vcpkg.yml b/.github/workflows/vcpkg.yml index 025e65fc..a3c27fe9 100644 --- a/.github/workflows/vcpkg.yml +++ b/.github/workflows/vcpkg.yml @@ -15,6 +15,9 @@ on: - LICENSE - build/* +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }}