Set minimal permissions to Github Workflows (#3972)

joycebrum · web-flow · commit 546370c9e778 · 2023-03-13T12:14:35.000+01:00
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -1,5 +1,9 @@
 name: CIFuzz
 on: [pull_request]
+
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -10,6 +10,9 @@ on:
   schedule:
     - cron: '0 19 * * 1'
   workflow_dispatch:
+  
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
@@ -19,6 +22,8 @@ jobs:
   CodeQL-Build:
 
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
 
     steps:
     - name: Checkout repository
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -4,6 +4,8 @@ on:
   pull_request_target:
     types: [opened, synchronize]
 
+permissions: {}
+
 jobs:
   label:
     permissions:
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
diff --git a/.github/workflows/publish_documentation.yml b/.github/workflows/publish_documentation.yml
@@ -10,6 +10,9 @@ on:
       - docs/examples/**
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # we don't want to have concurrent jobs, and we don't want to cancel running jobs to avoid broken publications
 concurrency:
   group: documentation
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -8,6 +8,9 @@ on:
       - release/*
   pull_request:
   workflow_dispatch:
+  
+permissions:
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
@@ -102,6 +105,9 @@ jobs:
   ci_test_coverage:
     runs-on: ubuntu-latest
     container: ghcr.io/nlohmann/json-ci:v2.4.0
+    permissions:
+      contents: read
+      checks: write
     steps:
       - uses: actions/checkout@v3
       - name: Run CMake
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
   cancel-in-progress: true
