Befator-Inc-Firmen-Netzwerk/msys2-autobuild
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 10 Wiki Activity

CI-hardening: move permissions to the job level

Browse Source 
Instead of giving all jobs write permissions, default to no permissions
and enable them on a per-job basis.

This does not change anything for us, but avoids accidental write
permissions if a new job gets added without considering that it inherits
the top level permissions, even if it doesn't need them.

See https://woodruffw.github.io/zizmor/audits/#excessive-permissions
This commit is contained in:
Christoph Reiter 2024-12-06 14:03:26 +01:00
parent 7eed3d8bc1
commit 5bf958fd1b
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/build.yml vendored
View File

@ -19,14 +19,16 @@ on:
env: env:
PYTHONUNBUFFERED: 1 PYTHONUNBUFFERED: 1
permissions: permissions: {}
contents: write
jobs: jobs:
schedule: schedule:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write
concurrency: autobuild-maint concurrency: autobuild-maint
outputs: outputs:
@ -96,6 +98,9 @@ jobs:
timeout-minutes: 4320 timeout-minutes: 4320
needs: schedule needs: schedule
permissions:
contents: write
concurrency: autobuild-build-${{ matrix.name }} concurrency: autobuild-build-${{ matrix.name }}
if: ${{ needs.schedule.outputs.build-plan != '[]' }} if: ${{ needs.schedule.outputs.build-plan != '[]' }}

6
.github/workflows/maint.yml vendored
View File

@ -19,8 +19,7 @@ on:
required: false required: false
type: string type: string
permissions: permissions: {}
contents: write
concurrency: autobuild-maint concurrency: autobuild-maint
@ -29,6 +28,9 @@ jobs:
schedule: schedule:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: write
steps: steps:
- name: Dump inputs - name: Dump inputs