From d9beee93ed6fe43a319bdcc1e914b6abf5985228 Mon Sep 17 00:00:00 2001
From: Stefan Agner <stefan@agner.ch>
Date: Fri, 24 Jun 2022 09:46:02 -0700
Subject: [PATCH] Set restrictive GitHub Action permissions (#1985)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* chore: Set permissions for GitHub actions

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

* Remove global permissions which are set implicitly

With restrictive settings in the global GitHub Action permission settings
those permissions are given implicitly.

Co-authored-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
Co-authored-by: Joakim Sørensen <hi@ludeeus.dev>
Co-authored-by: Stefan Agner <stefan@agner.ch>
---
 .github/workflows/dev.yml             | 3 +++
 .github/workflows/release-drafter.yml | 3 +++
 .github/workflows/release.yml         | 2 ++
 .github/workflows/stale.yml           | 3 +++
 4 files changed, 11 insertions(+)

diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml
index 90f6a1b23..b74208a3c 100644
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@@ -12,6 +12,9 @@ jobs:
     if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'run-dev-build') }}
     name: Prepare build
     runs-on: [ "ubuntu-20.04" ]
+    permissions:
+      contents: read
+      pull-requests: read
     outputs:
       version_main: ${{ steps.version_main.outputs.version_main }}
       version_dev: ${{ steps.version_dev.outputs.version_dev }}${{ steps.version_pr.outputs.version_pr }}
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index b4865d078..607e1d234 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -8,6 +8,9 @@ on:
 
 jobs:
   update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: read  # for release-drafter/release-drafter to read PR content and labels
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@v5
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f7a9f752c..501baddff 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -44,6 +44,8 @@ jobs:
             return { "board": boards }
 
   build:
+    permissions:
+      contents: write  # for actions/upload-release-asset to upload release asset
     name: Release build for ${{ matrix.board.id }}
     needs: validate_release
     strategy:
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 3b1b31dc2..d0aae27e0 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,6 +8,9 @@ on:
 
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
       # The 90 day stale policy