CI-hardening: move permissions to the job level

Instead of giving all jobs write permissions, default to no permissions and enable them on a per-job basis. This does not change anything for us, but avoids accidental write permissions if a new job gets added without considering that it inherits the top level permissions, even if it doesn't need them. See https://woodruffw.github.io/zizmor/audits/#excessive-permissions
2024-12-06 14:03:26 +01:00 · 2024-12-06 14:03:26 +01:00 · 5bf958fd1b
commit 5bf958fd1b
parent 7eed3d8bc1
2 changed files with 11 additions and 4 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -19,14 +19,16 @@ on:
 env:
  PYTHONUNBUFFERED: 1

-permissions:
-  contents: write
+permissions: {}

 jobs:

  schedule:
    runs-on: ubuntu-22.04

+    permissions:
+      contents: write
+
    concurrency: autobuild-maint

    outputs:
@ -96,6 +98,9 @@ jobs:
    timeout-minutes: 4320
    needs: schedule

+    permissions:
+      contents: write
+
    concurrency: autobuild-build-${{ matrix.name }}

    if: ${{ needs.schedule.outputs.build-plan != '[]' }}
--- a/.github/workflows/maint.yml
+++ b/.github/workflows/maint.yml
@ -19,8 +19,7 @@ on:
        required: false
        type: string

-permissions:
-  contents: write
+permissions: {}

 concurrency: autobuild-maint

@ -29,6 +28,9 @@ jobs:
  schedule:
    runs-on: ubuntu-22.04

+    permissions:
+      contents: write
+
    steps:

    - name: Dump inputs