restrict permissions for GitHub actions

This commit introduces two changes. First, the actions are changed to only have read access to repositories. Second, we specify that GitHub should not persist the authorization token for write access to a repository on disk (see the option `persist-credentials: false`).
orion-rs · May 27, 2021 · 79cacc5 · 79cacc5
1 parent 5357329
commit 79cacc5
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 0 deletions.
diff --git a/.github/workflows/code_coverage.yml b/.github/workflows/code_coverage.yml
@@ -4,6 +4,8 @@ on:
       - master
 
 name: Code coverage
+permissions:
+  contents: read
 
 jobs:
   check:
@@ -12,6 +14,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1

diff --git a/.github/workflows/daily_tests.yml b/.github/workflows/daily_tests.yml
@@ -1,4 +1,7 @@
 name: Daily tests
+permissions:
+  contents: read
+
 on:
   schedule:
     - cron: '0 0 * * *' # Midnight of each day
@@ -15,6 +18,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
         uses: actions-rs/toolchain@v1

diff --git a/.github/workflows/lints.yml b/.github/workflows/lints.yml
@@ -1,6 +1,8 @@
 on: [push, pull_request]
 
 name: Lints
+permissions:
+  contents: read
 
 jobs:
   lints:

diff --git a/.github/workflows/security_audit.yml b/.github/workflows/security_audit.yml
@@ -1,4 +1,7 @@
 name: Security Audit
+permissions:
+  contents: read
+
 on:
   push:
     # Check immediately if dependencies are altered
@@ -15,6 +18,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - name: Install stable toolchain
         uses: actions-rs/toolchain@v1
         with:

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,6 +11,8 @@ on:
 # NOTE: Should we use fail-fast: false?
 
 name: Tests
+permissions:
+  contents: read
 
 jobs:
   test:
@@ -30,6 +32,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
         uses: actions-rs/toolchain@v1
@@ -80,6 +84,8 @@ jobs:
     steps:
       - name: Checkout sources
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Install toolchain
         uses: actions-rs/toolchain@v1
@@ -103,6 +109,8 @@ jobs:
           - nightly
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - uses: actions-rs/toolchain@v1
       with:
         profile: minimal
@@ -126,6 +134,8 @@ jobs:
           - mips64-unknown-linux-gnuabi64
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -148,6 +158,8 @@ jobs:
           - wasm32-unknown-unknown
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -163,6 +175,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
       - uses: actions-rs/toolchain@v1
         with:
           toolchain: stable
@@ -185,6 +199,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - uses: EmbarkStudios/cargo-deny-action@v1
       with:
         command: check ${{ matrix.checks }}