Google Git
Sign in
pigweed/third_party/github/protocolbuffers/protobuf/e3c346fdd80874a414a6d20a63ac559bec30997d^!/.
commit
e3c346fdd80874a414a6d20a63ac559bec30997d
[log]
author
Mike Kruskal <62662355+mkruskal-google@users.noreply.github.com>
Fri Dec 16 08:56:03 2022 -0800
committer
Copybara-Service <copybara-worker@google.com>
Fri Dec 16 08:57:35 2022 -0800
tree
2a358d99f3b85fa1188fbb915608a6f702c73550
parent
7787f3eafbd00bed1604e247778497ee3a5511ac [diff]
GitHub Workflows security hardening (#11323)

Roll forward of #10843 after accidental direct merge

Closes #11323

COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/11323 from mkruskal-google:restore-hardening ef7c9fd0674d1f147883fec7b0bf59c67352796c
PiperOrigin-RevId: 495885677

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
index b32c0a2..e7c63ee 100644
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml

@@ -3,6 +3,8 @@
 # https://github.com/codespell-project/codespell
 name: codespell
 on: [push, pull_request]
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
 jobs:
   codespell:
     name: Check for spelling errors

diff --git a/.github/workflows/generate_files.yml b/.github/workflows/generate_files.yml
index c1562b3..bbeef6e 100644
--- a/.github/workflows/generate_files.yml
+++ b/.github/workflows/generate_files.yml

@@ -9,8 +9,12 @@
       # to exclude it.
       - '!21.x'
 
+permissions: {}
 jobs:
   cmake:
+    permissions:
+      contents: write  #  for git push
+
     if: github.repository == 'protocolbuffers/protobuf'
     runs-on: ubuntu-latest
 

diff --git a/.github/workflows/objc_cocoapods.yml b/.github/workflows/objc_cocoapods.yml
index d828ae3..939e890 100644
--- a/.github/workflows/objc_cocoapods.yml
+++ b/.github/workflows/objc_cocoapods.yml

@@ -18,6 +18,9 @@
     - '!objectivec/ProtocolBuffers_*.xcodeproj/**'
     - '!objectivec/Tests/**'
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   pod-lib-lint:
     runs-on: macos-latest

diff --git a/.github/workflows/php-ext.yml b/.github/workflows/php-ext.yml
index 17b6adf..da7e6f8 100644
--- a/.github/workflows/php-ext.yml
+++ b/.github/workflows/php-ext.yml

@@ -4,6 +4,9 @@
   - push
   - pull_request
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build-php:
     name: Build PHP extension

diff --git a/.github/workflows/update_php_repo.yml b/.github/workflows/update_php_repo.yml
index 2224cd2..4af48dc 100644
--- a/.github/workflows/update_php_repo.yml
+++ b/.github/workflows/update_php_repo.yml

@@ -6,6 +6,9 @@
       - v[0-9]+.[0-9]+
       - v[0-9]+.[0-9]+-rc[0-9]+
 
+permissions:
+  contents: read  #  to fetch code in 'Clone protobuf' (actions/checkout)
+
 jobs:
   update-repo:
     name: Update PHP Repo