From 274319a790ad6b7321ab98b0f64ee2ea1d143259 Mon Sep 17 00:00:00 2001 From: nathannaveen <42319948+nathannaveen@users.noreply.github.com> Date: Sat, 25 Jun 2022 02:23:58 -0500 Subject: [PATCH] chore: Set permissions for GitHub actions (#12354) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com> --- .github/workflows/check-docs.yml | 3 +++ .github/workflows/cosmovisor-release.yml | 5 +++++ .github/workflows/deploy-docs.yml | 5 +++++ .github/workflows/labeler.yml | 6 ++++++ .github/workflows/lint-pr.yml | 6 ++++++ .github/workflows/lint.yml | 5 +++++ .github/workflows/proto.yml | 3 +++ .github/workflows/release-sims.yml | 3 +++ .github/workflows/release.yml | 5 +++++ .github/workflows/sims-045.yml | 7 +++++++ .github/workflows/sims-046.yml | 7 +++++++ .github/workflows/sims.yml | 8 ++++++++ .github/workflows/stale.yml | 6 ++++++ 13 files changed, 69 insertions(+) diff --git a/.github/workflows/check-docs.yml b/.github/workflows/check-docs.yml index 1089ae9361d5..427257ecc067 100644 --- a/.github/workflows/check-docs.yml +++ b/.github/workflows/check-docs.yml @@ -7,6 +7,9 @@ on: paths: - "docs/**" +permissions: + contents: read + jobs: check-docs-build: if: ${{ github.event.label.name == 'docs' }} diff --git a/.github/workflows/cosmovisor-release.yml b/.github/workflows/cosmovisor-release.yml index cde0cc59c339..93d5b23c7554 100644 --- a/.github/workflows/cosmovisor-release.yml +++ b/.github/workflows/cosmovisor-release.yml @@ -4,8 +4,13 @@ on: push: tags: - "cosmovisor/v*.*.*" +permissions: + contents: read + jobs: goreleaser: + permissions: + contents: write # for goreleaser/goreleaser-action to create a GitHub release runs-on: buildjet-4vcpu-ubuntu-2004 steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 68b3b4e72fcc..722bc4311535 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -9,8 +9,13 @@ on: - "docs/**" - "x/**/*.md" +permissions: + contents: read + jobs: build-and-deploy: + permissions: + contents: write # for JamesIves/github-pages-deploy-action to push changes in repo runs-on: ubuntu-latest container: image: tendermintdev/docker-website-deployment diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 2f40ea5d36b6..2d9b4acec711 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,8 +2,14 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + contents: read + jobs: labeler: + permissions: + contents: read # for actions/labeler to determine modified files + pull-requests: write # for actions/labeler to add labels to PRs runs-on: ubuntu-latest steps: - uses: actions/labeler@main diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml index 17b1a410dc5e..86949cb84fdc 100644 --- a/.github/workflows/lint-pr.yml +++ b/.github/workflows/lint-pr.yml @@ -7,8 +7,14 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR runs-on: ubuntu-latest steps: - uses: amannn/action-semantic-pull-request@v4.5.0 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fe539ebd288a..d7cc2db802be 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,8 +7,13 @@ on: push: branches: - main +permissions: + contents: read + jobs: golangci: + permissions: + pull-requests: read # for technote-space/get-diff-action to get git reference name: golangci-lint runs-on: ubuntu-latest steps: diff --git a/.github/workflows/proto.yml b/.github/workflows/proto.yml index 490e12fda392..7d73948e4399 100644 --- a/.github/workflows/proto.yml +++ b/.github/workflows/proto.yml @@ -6,6 +6,9 @@ on: paths: - "proto/**" +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/release-sims.yml b/.github/workflows/release-sims.yml index a3a54bcdd130..e5a0d3281798 100644 --- a/.github/workflows/release-sims.yml +++ b/.github/workflows/release-sims.yml @@ -6,6 +6,9 @@ on: branches: - "rc**" +permissions: + contents: read + jobs: test-sim-multi-seed-long: runs-on: buildjet-4vcpu-ubuntu-2004 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c2838fb45665..c0f0d1c762b7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,8 +7,13 @@ on: tags: - "v[0-9]+.[0-9]+.[0-9]+" # Push events to matching v*, i.e. v1.0, v20.15.10 +permissions: + contents: read + jobs: release: + permissions: + contents: write # for goreleaser/goreleaser-action to create a GitHub release runs-on: buildjet-4vcpu-ubuntu-2004 steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/sims-045.yml b/.github/workflows/sims-045.yml index 9d42403227c8..8fa9e519c2c8 100644 --- a/.github/workflows/sims-045.yml +++ b/.github/workflows/sims-045.yml @@ -9,6 +9,9 @@ on: jobs: cleanup-runs: + permissions: + actions: write # for rokroskar/workflow-run-cleanup-action to obtain workflow name & cancel it + contents: read # for rokroskar/workflow-run-cleanup-action to obtain branch runs-on: buildjet-4vcpu-ubuntu-2004 steps: - uses: rokroskar/workflow-run-cleanup-action@master @@ -28,6 +31,8 @@ jobs: - run: make build install-runsim: + permissions: + contents: none runs-on: buildjet-4vcpu-ubuntu-2004 needs: build steps: @@ -132,6 +137,8 @@ jobs: SLACK_FOOTER: "" sims-notify-failure: + permissions: + contents: none needs: [test-sim-multi-seed-short, test-sim-after-import, test-sim-import-export] runs-on: ubuntu-latest diff --git a/.github/workflows/sims-046.yml b/.github/workflows/sims-046.yml index 4c2e858374e9..0126e3100c32 100644 --- a/.github/workflows/sims-046.yml +++ b/.github/workflows/sims-046.yml @@ -9,6 +9,9 @@ on: jobs: cleanup-runs: + permissions: + actions: write # for rokroskar/workflow-run-cleanup-action to obtain workflow name & cancel it + contents: read # for rokroskar/workflow-run-cleanup-action to obtain branch runs-on: buildjet-4vcpu-ubuntu-2004 steps: - uses: rokroskar/workflow-run-cleanup-action@master @@ -28,6 +31,8 @@ jobs: - run: make build install-runsim: + permissions: + contents: none runs-on: buildjet-4vcpu-ubuntu-2004 needs: build steps: @@ -132,6 +137,8 @@ jobs: SLACK_FOOTER: "" sims-notify-failure: + permissions: + contents: none needs: [test-sim-multi-seed-short, test-sim-after-import, test-sim-import-export] runs-on: ubuntu-latest diff --git a/.github/workflows/sims.yml b/.github/workflows/sims.yml index 7fe80e63302c..dbd248433c21 100644 --- a/.github/workflows/sims.yml +++ b/.github/workflows/sims.yml @@ -9,6 +9,9 @@ on: jobs: cleanup-runs: + permissions: + actions: write # for rokroskar/workflow-run-cleanup-action to obtain workflow name & cancel it + contents: read # for rokroskar/workflow-run-cleanup-action to obtain branch runs-on: buildjet-4vcpu-ubuntu-2004 steps: - uses: rokroskar/workflow-run-cleanup-action@master @@ -17,6 +20,9 @@ jobs: if: "!startsWith(github.ref, 'refs/tags/') && github.ref != 'refs/heads/main'" build: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for technote-space/get-diff-action to get git reference runs-on: buildjet-4vcpu-ubuntu-2004 if: "!contains(github.event.head_commit.message, 'skip-sims')" steps: @@ -130,6 +136,8 @@ jobs: SLACK_FOOTER: "" sims-notify-failure: + permissions: + contents: none needs: [test-sim-multi-seed-short, test-sim-after-import, test-sim-import-export] runs-on: ubuntu-latest diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 0c8717cded91..4926cfaaedf8 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,8 +3,14 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - uses: actions/stale@v5