Try to lock down workflow permissions.

Note that testing will occur only after this commit lands... Change-Id: Ib7ef2a73e743cb48774e96f86321c2fcc058f0b4 Reviewed-on: https://code-review.googlesource.com/c/re2/+/62350 Reviewed-by: Alex Chernyakhovsky <[email protected]> Reviewed-by: Paul Wankadia <[email protected]>
google · Jan 15, 2024 · 32c181e · 32c181e
1 parent c042630
commit 32c181e
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 0 deletions.
diff --git a/.github/workflows/ci-bazel.yml b/.github/workflows/ci-bazel.yml
@@ -2,6 +2,8 @@ name: CI (Bazel)
 on:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ${{ matrix.os }}

diff --git a/.github/workflows/ci-cmake.yml b/.github/workflows/ci-cmake.yml
@@ -2,6 +2,8 @@ name: CI (CMake)
 on:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   build-linux:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,6 +2,8 @@ name: CI
 on:
   push:
     branches: [main]
+permissions:
+  contents: read
 jobs:
   build-appleclang:
     runs-on: macos-latest

diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -3,8 +3,16 @@ on:
   pull_request_target:
     branches: [main]
     types: [opened]
+permissions:
+  contents: read
 jobs:
   close:
+    permissions:
+      contents: read
+      # We have to use two different APIs below,
+      # so just grant two different permissions.
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -5,6 +5,8 @@ on:
       build:
         required: true
         type: number
+permissions:
+  contents: read
 jobs:
   wheel-linux:
     name: Linux ${{ matrix.os }}, ${{ matrix.arch.name }}, Python ${{ matrix.ver }}