GitHub Workflows security hardening

[sashashura]

This PR adds explicit permissions section to workflows. This is a security best practice because by default workflows run with extended set of permissions (except from on: pull_request from external forks). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an injection or compromised third party tool or action) is restricted.
It is recommended to have most strict permissions on the top level and grant write permissions on job level case by case.

[rust-highfive]

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @pietroalbini (or someone else) soon.

Please see the contribution instructions for more information.

[Noratrieb]

As the error tells, the CI file is generated from src/ci/github-actions/ci.yml, you need to edit that file first and then run the generation script.

[sashashura]

I thought automatically generated files are automatically generated...

[pietroalbini]

There is an action that uses the actions: write permission in our workflow:

rust/src/ci/github-actions/ci.yml

Lines 133 to 138 in 5fecdb7

	- name: configure GitHub Actions to kill the build when outdated
	uses: rust-lang/simpleinfra/github-actions/cancel-outdated-builds@master
	with:
	github_token: "${{ secrets.github_token }}"
	if: success() && !env.SKIP_JOB && github.ref != 'refs/heads/try' && github.ref != 'refs/heads/try-perf'
	<<: *step

That whole action can probably be replaced with the concurrency key though (we created the action before concurrency was introduced).

[sashashura]

Thank you, I missed that. To keep one issue per pull request, I only added the permission for now.

[pietroalbini]

Thanks!

@bors r+

[bors]

📌 Commit bd5aad3 has been approved by pietroalbini

It is now in the queue for this repository.

[bors]

⌛ Testing commit bd5aad3 with merge a37499a...

[bors]

☀️ Test successful - checks-actions
Approved by: pietroalbini
Pushing a37499a to master...

[rust-timer]

Finished benchmarking commit (a37499a): comparison URL.

Overall result: no relevant changes - no action needed

@rustbot label: -perf-regression

Instruction count

This benchmark run did not return any relevant results for this metric.

Max RSS (memory usage)

Results

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean1	range	count2
Regressions ❌ (primary)	-	-	0
Regressions ❌ (secondary)	2.8%	[2.6%, 2.9%]	2
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-3.3%	[-3.3%, -3.3%]	1
All ❌✅ (primary)	-	-	0

Cycles

Results

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean1	range	count2
Regressions ❌ (primary)	2.4%	[2.4%, 2.4%]	1
Regressions ❌ (secondary)	-	-	0
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-	-	0
All ❌✅ (primary)	2.4%	[2.4%, 2.4%]	1

Footnotes

1. the arithmetic mean of the percent change ↩ ↩²

2. number of relevant changes ↩ ↩²