.github: workflows: restrict top-level workflow permissions

Only permit reading the repository contents by default, and set further privileges at the job level to satisfy OpenSSF Scorecard criteria. Link: https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions Link: https://securityscorecards.dev/viewer/?uri=github.com/OFS/opae-sdk Signed-off-by: Peter Colberg <peter.colberg@intel.com>
OFS · Sep 18, 2024 · cd83d2b · cd83d2b
1 parent 4eaf030
commit cd83d2b
Show file tree

Hide file tree

Showing 9 changed files with 35 additions and 0 deletions.
diff --git a/.github/workflows/build-debs.yml b/.github/workflows/build-debs.yml
@@ -1,5 +1,9 @@
 name: Build DEBs
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:

diff --git a/.github/workflows/build-rpms.yml b/.github/workflows/build-rpms.yml
@@ -1,5 +1,9 @@
 name: Build RPMs
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:

diff --git a/.github/workflows/ccpp-tests.yml b/.github/workflows/ccpp-tests.yml
@@ -1,5 +1,9 @@
 name: C/C++ CI Build and Test
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/docker-rpm.yml b/.github/workflows/docker-rpm.yml
@@ -1,5 +1,9 @@
 name: Docker Build and Review RPM
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches-ignore:

diff --git a/.github/workflows/no-ccpp-tests.yml b/.github/workflows/no-ccpp-tests.yml
@@ -1,5 +1,9 @@
 name: C/C++ CI Build and Test (dummy)
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/no-python-analysis.yml b/.github/workflows/no-python-analysis.yml
@@ -1,5 +1,9 @@
 name: python static analysis (dummy)
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:

diff --git a/.github/workflows/pacsign.yml b/.github/workflows/pacsign.yml
@@ -1,5 +1,9 @@
 name: Python pacsign tests
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths: 

diff --git a/.github/workflows/python-static-analysis.yml b/.github/workflows/python-static-analysis.yml
@@ -1,5 +1,9 @@
 name: python static analysis
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches:

diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml
@@ -1,5 +1,8 @@
 name: valgrind OPAE tests
 
+# https://github.com/ossf/scorecard/blob/9ff40de429d0c7710076070387c8755494a9f187/docs/checks.md#token-permissions
+permissions:
+  contents: read
 
 on:
   schedule: