Set restrictive GitHub Action permissions (#1985)

* chore: Set permissions for GitHub actions Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. * Remove global permissions which are set implicitly With restrictive settings in the global GitHub Action permission settings those permissions are given implicitly. Co-authored-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com> Co-authored-by: Joakim Sørensen <hi@ludeeus.dev> Co-authored-by: Stefan Agner <stefan@agner.ch>
2025-07-24 13:36:31 +00:00 · 2022-06-24 09:46:02 -07:00 · 2022-06-24 09:46:02 -07:00 · fb5851099e
commit fb5851099e
parent da4ba283bb
4 changed files with 11 additions and 0 deletions
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@ -12,6 +12,9 @@ jobs:
    if: ${{ github.event_name == 'workflow_dispatch' || contains(github.event.pull_request.labels.*.name, 'run-dev-build') }}
    name: Prepare build
    runs-on: [ "ubuntu-20.04" ]
+    permissions:
+      contents: read
+      pull-requests: read
    outputs:
      version_main: ${{ steps.version_main.outputs.version_main }}
      version_dev: ${{ steps.version_dev.outputs.version_dev }}${{ steps.version_pr.outputs.version_pr }}
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@ -8,6 +8,9 @@ on:

 jobs:
  update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: read  # for release-drafter/release-drafter to read PR content and labels
    runs-on: ubuntu-latest
    steps:
      - uses: release-drafter/release-drafter@v5
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -44,6 +44,8 @@ jobs:
            return { "board": boards }

  build:
+    permissions:
+      contents: write  # for actions/upload-release-asset to upload release asset
    name: Release build for ${{ matrix.board.id }}
    needs: validate_release
    strategy:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -8,6 +8,9 @@ on:

 jobs:
  stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
    runs-on: ubuntu-latest
    steps:
      # The 90 day stale policy