Use minimum required permissions for GitHub workflows

This reduces the attack surface if the workflows are ever compromised.
2022-07-03 20:38:51 +03:00 · 2022-07-03 20:38:51 +03:00 · a1f1acfbf9
parent 45d2492bcb
commit a1f1acfbf9
3 changed files with 21 additions and 1 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -31,6 +31,10 @@ on:
 jobs:
  build-and-test-jvm:
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
    steps:
      - uses: actions/checkout@v3
      - uses: gradle/wrapper-validation-action@v1
@ -64,6 +68,10 @@ jobs:
      matrix:
        # api-level 19 is min sdk, but throws errors related to desugaring
        api-level: [ 21, 29 ]
+
+    permissions:
+      contents: read
+
    steps:
      - uses: actions/checkout@v3

@ -91,6 +99,10 @@ jobs:

  sonar:
    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
    steps:
      - uses: actions/checkout@v3
        with:
--- a/.github/workflows/image-minimizer.yml
+++ b/.github/workflows/image-minimizer.yml
@ -6,6 +6,10 @@ on:
  issues:
    types: [opened, edited]

+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
  try-minimize:
    runs-on: ubuntu-latest
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@ -9,6 +9,10 @@ on:
    # Run daily at midnight.
    - cron: '0 0 * * *'

+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
  noResponse:
    runs-on: ubuntu-latest