From d412de485cea339b0f35db7de9438bbe82752033 Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 11 Sep 2024 01:46:34 +0000 Subject: [PATCH 1/2] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/codeql.yml | 3 +++ .github/workflows/main.yml | 3 +++ .github/workflows/test.yml | 3 +++ .github/workflows/vcpkg.yml | 3 +++ 4 files changed, 12 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 872ba883..b1d7457c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,6 +23,9 @@ on: schedule: - cron: '19 7 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze (C/C++) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e07006ff..f4349a03 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,6 +21,9 @@ on: - build/*.targets - build/*.yml +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f610de19..733a71ec 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -21,6 +21,9 @@ on: - build/*.targets - build/*.yml +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/vcpkg.yml b/.github/workflows/vcpkg.yml index 33fe46c7..4eaab91a 100644 --- a/.github/workflows/vcpkg.yml +++ b/.github/workflows/vcpkg.yml @@ -15,6 +15,9 @@ on: - LICENSE - build/* +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} From 8108611669cd6e49362060a47f0406494907520c Mon Sep 17 00:00:00 2001 From: Chuck Walbourn Date: Tue, 10 Sep 2024 18:47:06 -0700 Subject: [PATCH 2/2] Update codeql.yml --- .github/workflows/codeql.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b1d7457c..dcf08e38 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -32,7 +32,9 @@ jobs: runs-on: windows-latest timeout-minutes: 360 permissions: - security-events: write + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report packages: read steps: