Google Git
Sign in
pigweed / third_party / github / protocolbuffers / protobuf / 010fde9a18979896ee135d87627cf226e759ab81^! / . / .github
commit010fde9a18979896ee135d87627cf226e759ab81[log] [tgz]
authorJoyce <joycebrum@google.com>Mon Jun 05 13:54:01 2023 -0700
committerCopybara-Service <copybara-worker@google.com>Mon Jun 05 13:56:32 2023 -0700
tree516c9b439509d7be40b161252444df895fbdbe27
parent0b9b5da7a7cbc4ef62cec05e277ab9e7b395d0c2 [diff]
Set top level permissions to read only on GitHub Workflows (#12971)

Hi, here is Joyce from Google again.

I'd like starting suggesting the [Token-Permission check](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) fix.

Let me know if I might be missing any permission. Thanks!

### Security Reason

This is needed because, by default, github grants write-all permission to all workflows, which could be exploit by an attacker in case of a compromised workflow. Limiting permissions is a simple and effective way to also limit the impact of an eventual compromised workflow.

Thus, it is both a recommendation from [OpenSSF Scorecard](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) and the [Github](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions) to always use credentials that are minimally scoped.

Closes #12971

COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/12971 from joycebrum:main 6d6dac5678956c6172831dd54dbda063f452380c
PiperOrigin-RevId: 537973051

diff --git a/.github/workflows/clear_caches.yml b/.github/workflows/clear_caches.yml
index f7d7bce..7e27624 100644
--- a/.github/workflows/clear_caches.yml
+++ b/.github/workflows/clear_caches.yml

@@ -8,6 +8,9 @@
   # manual
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   bazel-repository-cache:
     strategy:
@@ -16,6 +19,9 @@
         os: [ubuntu-latest, macos-latest, windows-latest]
     name: Clear Bazel repository cache ${{ runner.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      actions: write # permission is required to delete caches
+      contents: read
     steps:
       - uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:

diff --git a/.github/workflows/forked_pr_workflow_check.yml b/.github/workflows/forked_pr_workflow_check.yml
index f1dd9b5..97f3177 100644
--- a/.github/workflows/forked_pr_workflow_check.yml
+++ b/.github/workflows/forked_pr_workflow_check.yml

@@ -17,6 +17,9 @@
     paths:
       - '.github/workflows/**'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Check PR source

diff --git a/.github/workflows/test_cpp.yml b/.github/workflows/test_cpp.yml
index 6b5f9df..a8c589f 100644
--- a/.github/workflows/test_cpp.yml
+++ b/.github/workflows/test_cpp.yml

@@ -7,6 +7,9 @@
         required: true
         description: "The SHA key for the commit we want to run over"
         type: string
+        
+permissions:
+  contents: read
 
 jobs:
   linux:

diff --git a/.github/workflows/test_csharp.yml b/.github/workflows/test_csharp.yml
index 62580ca..f0cafc3 100644
--- a/.github/workflows/test_csharp.yml
+++ b/.github/workflows/test_csharp.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Linux

diff --git a/.github/workflows/test_java.yml b/.github/workflows/test_java.yml
index d8a8522..d713d1c 100644
--- a/.github/workflows/test_java.yml
+++ b/.github/workflows/test_java.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     strategy:

diff --git a/.github/workflows/test_objectivec.yml b/.github/workflows/test_objectivec.yml
index b441149..c3c04e9 100644
--- a/.github/workflows/test_objectivec.yml
+++ b/.github/workflows/test_objectivec.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   xcode:
     strategy:

diff --git a/.github/workflows/test_php.yml b/.github/workflows/test_php.yml
index 3a91e34..6319929 100644
--- a/.github/workflows/test_php.yml
+++ b/.github/workflows/test_php.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     strategy:

diff --git a/.github/workflows/test_python.yml b/.github/workflows/test_python.yml
index 36f4e5a..f82aa46 100644
--- a/.github/workflows/test_python.yml
+++ b/.github/workflows/test_python.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     strategy:

diff --git a/.github/workflows/test_ruby.yml b/.github/workflows/test_ruby.yml
index 45b9a1e..24b4122 100644
--- a/.github/workflows/test_ruby.yml
+++ b/.github/workflows/test_ruby.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     strategy:

diff --git a/.github/workflows/test_runner.yml b/.github/workflows/test_runner.yml
index 58fcd31..51ac629 100644
--- a/.github/workflows/test_runner.yml
+++ b/.github/workflows/test_runner.yml

@@ -49,6 +49,9 @@
 
   # manual
   workflow_dispatch:
+  
+permissions:
+  contents: read
 
 jobs:
   check-tag:

diff --git a/.github/workflows/test_rust.yml b/.github/workflows/test_rust.yml
index b90e5d6..c971ce3 100644
--- a/.github/workflows/test_rust.yml
+++ b/.github/workflows/test_rust.yml

@@ -8,6 +8,9 @@
         description: "The SHA key for the commit we want to run over"
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Linux