ci: limit workflow permissions.

Make it so pull requests from outside contributors can't edit workflows under .github/workflows/ without approval. Also limit workflows to the minimum permissions necessary.
2021-09-18 04:31:48 -05:00
parent 39fa2fe02d
commit 52cf13dff1
3 changed files with 15 additions and 0 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -0,0 +1,7 @@
+# This file is used by Github to prevent pull requests from modifying CI
+# workflow files without approval.
+#
+# https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#using-codeowners-to-monitor-changes
+# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
+
+.github/ @evazion
--- a/.github/workflows/docker-build.yaml
+++ b/.github/workflows/docker-build.yaml
@@ -17,6 +17,11 @@ name: Docker Build
 # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
 on: [push, create]

+# https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token
+# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idpermissions
+permissions:
+  packages: write
+
 jobs:
  docker-build:
    runs-on: ubuntu-latest
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -2,6 +2,9 @@

 name: Test

+# https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#permissions
+permissions: read-all
+
 on:
  # https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_run
  workflow_run: