Add explicit security permissions to each github action

Signed-off-by: Nigel Jones <[email protected]>
open-quantum-safe · Apr 19, 2024 · c0aa784 · c0aa784
1 parent 34fb3d3
commit c0aa784
Show file tree

Hide file tree

Showing 8 changed files with 29 additions and 7 deletions.
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
@@ -1,5 +1,8 @@
 name: android build
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/apple.yml b/.github/workflows/apple.yml
@@ -1,5 +1,8 @@
 name: apple build
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/release-test.yml b/.github/workflows/release-test.yml
@@ -1,10 +1,14 @@
 name: Release tests
 
+permissions:
+  contents: read
+
 # Trigger oqs-provider release tests.
 # Runs whenever a release is published, or when a commit message ends with "[trigger downstream]"
 # When triggered by a release, the liboqs release tag and the provider "<release tag>-tracker" branch are used.
 # When triggered by a commit message, the triggering liboqs branch and the provider "<liboqs branch>-tracker" branch are used.
 # If the tracker branch does not exist, the downstream pipeline should detect it and run on the main branch instead.
+
 on:
   push:
   release:

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -1,8 +1,11 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
 name: Scorecard supply-chain security
+
+permissions:
+  contents: read
+  # needed to allow a badge to be created
+  # ie [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/{owner}/{repo}/badge)](https://securityscorecards.dev/viewer/?uri=github.com/{owner}/{repo})
+  id-token: write
+  security-events: write
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
@@ -15,9 +18,6 @@ on:
     branches: [ "main" ]
   pull_request:
 
-    # Declare default permissions as read only.
-permissions: read-all
-
 jobs:
   analysis:
     name: Scorecard analysis

diff --git a/.github/workflows/unix.yml b/.github/workflows/unix.yml
@@ -1,5 +1,8 @@
 name: Linux and MacOS tests
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
@@ -1,5 +1,8 @@
 name: Weekly extended tests
 
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: "5 0 * * 0"

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,5 +1,8 @@
 name: Windows tests
 
+permissions:
+  contents: read
+
 on: [ push, pull_request ]
 
 jobs:

diff --git a/.github/workflows/zephyr.yml b/.github/workflows/zephyr.yml
@@ -1,5 +1,8 @@
 name: Zephyr tests
 
+permissions:
+  contents: read
+
 on: [push, pull_request]
 
 jobs: