Merge branch 'lukas/gh/maint-26' into maint-26

* lukas/gh/maint-26: gh: Limit scope of GITHUB_TOKEN and only use permissions where needed github: add OSV automated vulnerability checking
erlang · Nov 13, 2024 · 1e0c517 · 1e0c517
2 parents 57f154f + 58b45f2
commit 1e0c517
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 7 deletions.
diff --git a/.github/workflows/actions-updater.yaml b/.github/workflows/actions-updater.yaml
@@ -7,6 +7,9 @@ on:
     # Automatically run on every Sunday
     - cron:  '0 0 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -30,6 +30,9 @@ env:
     ## Equivalent to github.event_name == 'pull_request' ? github.base_ref : github.ref_name
     BASE_BRANCH: ${{ github.event_name == 'pull_request' && github.base_ref || github.ref_name }}
 
+permissions:
+  contents: read
+
 jobs:
 
   pack:

diff --git a/.github/workflows/osv-scanner-scheduled.yml b/.github/workflows/osv-scanner-scheduled.yml
@@ -10,12 +10,6 @@ on:
     - cron: 0 1 * * *
 
 permissions:
-  # Required to upload SARIF file to CodeQL.
-  # See: https://github.com/github/codeql-action/issues/2117
-  actions: read
-  # Require writing security events to upload SARIF file to security tab
-  security-events: write
-  # Only need to read contents
   contents: read
 
 jobs:
@@ -72,4 +66,12 @@ jobs:
     # run-scheduled-scan triggers this job
     # PRs and pushes trigger this job
     if: github.event_name != 'schedule'
+    permissions:
+        # Required to upload SARIF file to CodeQL.
+        # See: https://github.com/github/codeql-action/issues/2117
+        actions: read
+        # Require writing security events to upload SARIF file to security tab
+        security-events: write
+        # Only needs to read contents
+        contents: read
     uses: "google/osv-scanner-action/.github/workflows/[email protected]"
diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml
@@ -12,6 +12,9 @@ on:
 # Limit concurrency so that we don't get any races between parallel actions
 concurrency: pr-comment
 
+permissions:
+  contents: read
+
 jobs:
   pr-number:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/sync-github-prs.yaml b/.github/workflows/sync-github-prs.yaml
@@ -7,6 +7,9 @@ on:
   ## In UTC
   - cron: '0 */4 * * *'
 
+permissions:
+  contents: read
+
 jobs:
 
   sync-prs:

diff --git a/.github/workflows/sync-github-releases.yaml b/.github/workflows/sync-github-releases.yaml
@@ -9,7 +9,7 @@ on:
 
 ## Needed to create releases
 permissions:
-  contents: write
+  contents: read
 
 ## Build base images to be used by other github workflows
 jobs:
@@ -18,6 +18,9 @@ jobs:
     if: github.repository == 'erlang/otp'
     concurrency: sync-github-releases
     runs-on: ubuntu-latest
+    permissions:
+        ## Needed to create releases
+        contents: write
     steps:
       - uses: actions/[email protected]
       ## We need to login to the package registry in order to pull

diff --git a/.github/workflows/update-base.yaml b/.github/workflows/update-base.yaml
@@ -7,6 +7,9 @@ on:
   ## In UTC
   - cron: '0 0 * * *'
 
+permissions:
+  contents: read
+
 ## Build base images to be used by other github workflows
 jobs: