Add explicit security permissions to each github action

Signed-off-by: Nigel Jones <jonesn@uk.ibm.com>
open-quantum-safe · Apr 19, 2024 · e7c98d1 · e7c98d1
1 parent 34fb3d3
commit e7c98d1
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 4 deletions.
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -1,5 +1,8 @@
 name: android build
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml
@@ -1,5 +1,8 @@
 name: apple build
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml
@@ -1,10 +1,14 @@
 name: Release tests
 
+permissions:
+  contents: read
+
 # Trigger oqs-provider release tests.
 # Runs whenever a release is published, or when a commit message ends with "[trigger downstream]"
 # When triggered by a release, the liboqs release tag and the provider "<release tag>-tracker" branch are used.
 # When triggered by a commit message, the triggering liboqs branch and the provider "<liboqs branch>-tracker" branch are used.
 # If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead.
+
 on:
   push:
   release:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,8 +1,11 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
 name: Scorecard supply-chain security
+
+permissions:
+  contents: read
+  # needed to allow a badge to be created
+  # ie [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo})
+  id-token: write
+  security-events: write
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection

diff --git a/.github/workflows/unix.yml b/.github/workflows/unix.yml
@@ -1,5 +1,8 @@
 name: Linux and MacOS tests
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
@@ -1,5 +1,8 @@
 name: Weekly extended tests
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "5 0 * * 0"

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,5 +1,8 @@
 name: Windows tests
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml
@@ -1,5 +1,8 @@
 name: Zephyr tests
 
+permissions:
+  contents: read
+
 on: [push, pull_request]
 
 jobs: