common: harden GitHub Actions

pmem · Sep 18, 2024 · 7978f5b · 7978f5b
1 parent 9ef3c3e
commit 7978f5b
Show file tree

Hide file tree

Showing 17 changed files with 52 additions and 10 deletions.
diff --git a/.github/workflows/docker_rebuild.yml b/.github/workflows/docker_rebuild.yml
@@ -23,6 +23,9 @@ env:
   WORKDIR:     utils/docker
   PUSH_IMAGE:  1
 
+permissions:
+  contents: read
+
 jobs:
   image:
     if: github.repository == 'pmem/pmdk'

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -5,12 +5,14 @@ on:
   workflow_dispatch:
   pull_request:
 
+permissions:
+  issues: read
+  contents: read
+
 jobs:
   src_checkers:
     name: Source checkers
     runs-on: ubuntu-latest
-    permissions:
-      issues: read
     steps:
       - name: Clone the git repo
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -19,6 +19,9 @@ env:
   PMDK_CXX:       g++
   SRC_CHECKERS:   0
 
+permissions:
+  contents: read
+
 jobs:
   in-tree:
     name: In-tree

diff --git a/.github/workflows/pmem_benchmark.yml b/.github/workflows/pmem_benchmark.yml
@@ -10,13 +10,13 @@ on:
         type: string
         default: master
 
+permissions:
+  contents: read
 
 jobs:
   prep_runtime:
     name: Prepare runtime
     runs-on: [self-hosted, benchmark]
-    permissions:
-      contents: read
     steps:
       - name: Clone the git repo
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -38,8 +38,6 @@ jobs:
             GITHUB_REF: ${{ inputs.reference_ref }}
           - ROLE: rival
             GITHUB_REF: ${{ inputs.rival_ref }}
-    permissions:
-      contents: read
     env:
       MANIFEST: ${{ matrix.ROLE }}/manifest.txt
     steps:

diff --git a/.github/workflows/pmem_ras.yml b/.github/workflows/pmem_ras.yml
@@ -30,6 +30,9 @@ on:
     # run this job every 8 hours
     - cron:  '0 */8 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: PMEM_RAS

diff --git a/.github/workflows/pmem_test_matrix.yml b/.github/workflows/pmem_test_matrix.yml
@@ -17,6 +17,9 @@ on:
         type: number
         default: 360 # The jobs.<job_id>.timeout-minutes default.
 
+permissions:
+  contents: read
+
 jobs:
   job:
     name: ${{ matrix.force_enable }}, ${{ matrix.test_script }}, ${{ matrix.os }}, ${{ matrix.build }}

diff --git a/.github/workflows/pmem_tests.yml b/.github/workflows/pmem_tests.yml
@@ -9,6 +9,9 @@ on:
     # run this job at 18:00 UTC every day
     - cron:  '0 18 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   # Test the default build with the basic test suite.
   Basic:

diff --git a/.github/workflows/scan_bandit.yml b/.github/workflows/scan_bandit.yml
@@ -9,6 +9,9 @@ env:
   PMREORDER: src/tools/pmreorder/*.py
   CALL_STACKS_ANALYSIS: utils/call_stacks_analysis/*.py
 
+permissions:
+  contents: read
+
 jobs:
   bandit:
     name: Bandit

diff --git a/.github/workflows/scan_codeql.yml b/.github/workflows/scan_codeql.yml
@@ -4,14 +4,15 @@ name: CodeQL
 on:
   workflow_call:
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     steps:
     - name: Clone the git repo

diff --git a/.github/workflows/scan_coverage.yml b/.github/workflows/scan_coverage.yml
@@ -24,6 +24,9 @@ env:
   TEST_BUILD:   debug
   FAULT_INJECTION: 1
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Linux

diff --git a/.github/workflows/scan_coverity.yml b/.github/workflows/scan_coverity.yml
@@ -21,6 +21,9 @@ env:
   VALGRIND:     1
   COVERITY:     1
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Linux

diff --git a/.github/workflows/scan_documentation.yml b/.github/workflows/scan_documentation.yml
@@ -4,6 +4,9 @@ name: Documentation
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Documentation

diff --git a/.github/workflows/scan_log_calls.yml b/.github/workflows/scan_log_calls.yml
@@ -5,6 +5,8 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  contents: read
 
 jobs:
   log-calls:

diff --git a/.github/workflows/scan_stack_usage.yml b/.github/workflows/scan_stack_usage.yml
@@ -8,6 +8,9 @@ on:
 env:
   CALL_STACKS_TOOLS_PATH: pmdk/utils/call_stacks_analysis
 
+permissions:
+  contents: read
+
 jobs:
   stack-usage:
     name: Stack usage

diff --git a/.github/workflows/scan_ubsan.yml b/.github/workflows/scan_ubsan.yml
@@ -18,6 +18,9 @@ env:
   UBSAN:        1
   FAULT_INJECTION: 1
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Linux

diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -7,6 +7,9 @@ on:
     # run this job at 00:00 UTC every day
     - cron:  '0 0 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   call-bandit:
     uses: ./.github/workflows/scan_bandit.yml

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -8,6 +8,9 @@ env:
   GITHUB_REPO: pmem/pmdk
   DOCKER_REPO: ghcr.io/pmem/pmdk
 
+permissions:
+  contents: read
+
 jobs:
   linux:
     name: Linux