Set permissions to GITHUB_TOKEN (#2848)

joycebrum · web-flow · commit 664ac01967f8 · 2023-09-12T22:39:48.000+02:00
* [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: Joyce Brum &lt;joycebrum@google.com&gt;

* set release.yml permissions

Signed-off-by: Joyce &lt;joycebrum@google.com&gt;

* set backport.yml permissions

Signed-off-by: Joyce &lt;joycebrum@google.com&gt;

---------

Signed-off-by: Joyce Brum &lt;joycebrum@google.com&gt;
Signed-off-by: Joyce &lt;joycebrum@google.com&gt;
diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
@@ -5,10 +5,14 @@ on:
       - closed
       - labeled
 
+permissions: {}
+
 jobs:
   backport:
     runs-on: ubuntu-20.04
     name: Backport
+    permissions: 
+      contents: write
     steps:
       - name: Backport Bot
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( join( github.event.pull_request.labels.*.name ), 'backport') ) || contains( github.event.label.name, 'backport' ) )
diff --git a/.github/workflows/ci_test.yml b/.github/workflows/ci_test.yml
@@ -10,6 +10,9 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 jobs:
   flake8-test:
     name: Flake8
diff --git a/.github/workflows/notify_codeowners.yml b/.github/workflows/notify_codeowners.yml
@@ -5,6 +5,9 @@ on:
     types: [opened]
 
 
+permissions:
+  contents: read
+
 jobs:
   notify-codeowners:
     name: Notify codeowners
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -6,8 +6,14 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@74e7c423dafbb406c9c18b1638334f67a7c891c3 # Version 5.7.0
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,9 @@ on:
       - master
       - r*
 
+permissions:
+  contents: read
+
 env:
   MIN_PY_VERSION: '3.9'
   MAX_PY_VERSION: '3.11'
diff --git a/.github/workflows/validate_codeowners.yml b/.github/workflows/validate_codeowners.yml
@@ -15,6 +15,9 @@ on:
 # Otherwise, it's useless, it just check the codeowners file from the latest commit in master
 
 
+permissions:
+  contents: read
+
 jobs:
   validate-codeowners:
     name: Check that the CODEOWNERS is valid
