[StepSecurity] ci: Harden GitHub Actions (#506)

## Summary This pull request is created by [StepSecurity](https://app.stepsecurity.io/securerepo) at the request of @credfeto. Please merge the Pull Request to incorporate the requested changes. Please tag @credfeto on your message if you have any questions related to the PR. ## Security Fixes ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ## Feedback For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <[email protected]>
credfeto · Oct 5, 2024 · 454a94a · 454a94a
2 parents 5f53fbc + e9c5b8e
commit 454a94a
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 0 deletions.
diff --git a/.github/workflows/approve-dependabot.yml b/.github/workflows/approve-dependabot.yml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   enable-auto-merge-github-actions:
     if: |-

diff --git a/.github/workflows/create-prs-for-stale-branches.yml b/.github/workflows/create-prs-for-stale-branches.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref}}
   cancel-in-progress: false
 
+permissions:
+  contents: read
+
 jobs:
   build-matrix:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/on-pr-closed.yml b/.github/workflows/on-pr-closed.yml
@@ -5,6 +5,9 @@ on:
     types:
       - closed
 
+permissions:
+  contents: read
+
 jobs:
   cleanup-cache:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/on_new_pr.yml b/.github/workflows/on_new_pr.yml
@@ -12,6 +12,9 @@ on:
     - synchronize
     - ready_for_review
 
+permissions:
+  contents: read
+
 jobs:
   enable-auto-merge:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/update-labels.yml b/.github/workflows/update-labels.yml
@@ -12,9 +12,14 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   update-labels-config:
 
+    permissions:
+      issues: write  # for crazy-max/ghaction-github-labeler to create, rename, update and delete label
     runs-on: ubuntu-latest
 
     steps: