[StepSecurity] ci: Harden GitHub Actions (#4551)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-07-29 23:01:16 +03:00 · 2024-12-17 06:20:06 -08:00
parent 861ec9c3c6
commit 5362012fdd
9 changed files with 27 additions and 0 deletions
--- a/.github/workflows/check_amalgamation.yml
+++ b/.github/workflows/check_amalgamation.yml
@ -3,6 +3,9 @@ name: "Check amalgamation"
 on:
  pull_request:

+permissions:
+  contents: read
+
 jobs:
  save:
    runs-on: ubuntu-latest
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@ -1,6 +1,9 @@
 name: CIFuzz
 on: [pull_request]

+permissions:
+  contents: read
+
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -15,6 +15,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  CodeQL-Build:

--- a/.github/workflows/comment_check_amalgamation.yml
+++ b/.github/workflows/comment_check_amalgamation.yml
@ -5,6 +5,9 @@ on:
    types:
      - completed

+permissions:
+  contents: read
+
 jobs:
  comment:
    if: ${{ github.event.workflow_run.conclusion == 'failure' }}
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@ -9,6 +9,9 @@
 name: 'Dependency Review'
 on: [pull_request]

+permissions:
+  contents: read
+
 jobs:
  dependency-review:
    runs-on: ubuntu-latest
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -4,6 +4,9 @@ on:
  pull_request_target:
    types: [opened, synchronize]

+permissions:
+  contents: read
+
 jobs:
  label:
    permissions:
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@ -13,6 +13,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
 # macos-11 is deprecated
 #  macos-11:
--- a/.github/workflows/publish_documentation.yml
+++ b/.github/workflows/publish_documentation.yml
@ -15,6 +15,9 @@ concurrency:
  group: documentation
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  publish_documentation:
    permissions:
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@ -14,6 +14,9 @@ on:
  push:
    branches: ["develop"]

+permissions:
+  contents: read
+
 jobs:
  analysis:
    name: Scorecard analysis