build: harden GitHub workflow permissions

Grant pull-requests write permission to the labeler workflow and
read-only to everything else.

Signed-off-by: Alex Low <aleksandrosansan@gmail.com>
[ wrap to 80 columns and fix wrong author as requested by author itself ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 715259940776843d8799bc39de8eb50eb764189b)

diff --git a/.github/workflows/formal.yml b/.github/workflows/formal.yml
index 5046b5a180cc84b717158c5e68401cd71f143d6e..125648163782152c53a191982d64743fe0a1dad7 100644 (file)
--- a/.github/workflows/formal.yml
+++ b/.github/workflows/formal.yml
@@ -3,6 +3,9 @@ name: Test Formalities
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test Formalities

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index 6bcdf51a89288836ca1b2b676b9b69ad9821afde..420617809b668068d255838bb7f5bcc6650b6c17 100644 (file)
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -2,8 +2,15 @@ name: 'Pull Request Labeler'
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
+    permissions:
+      contents: read # to determine modified files (actions/labeler)
+      pull-requests: write # to add labels to PRs (actions/labeler)
+
     name: Pull Request Labeler
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
index 76cbd30db7e75d9ad70d304a2ffedf5f84c35e89..e089e26193d4fe14de9a44ed76b3f8cbb5447c0f 100644 (file)
--- a/.github/workflows/tools.yml
+++ b/.github/workflows/tools.yml
@@ -5,6 +5,9 @@ on:
     paths:
       - 'tools/**'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build tools on ${{ matrix.os }}