workflows: Fix security issues

read-all permissions gives access to e.g. security-events, which these don't need, and can easily lead to leaks Co-Authored-By: 13x1 <tori@disroot.org> Co-Authored-By: basti564 <e3e@disroot.org> (cherry picked from commit 6b8ce4aedf)
2024-11-25 00:12:56 +00:00 · 2024-10-26 15:03:37 +02:00 · 2024-10-26 15:03:37 +02:00 · ccc38ebba1
commit ccc38ebba1
parent 5691625565
5 changed files with 13 additions and 4 deletions
--- a/.github/workflows/codeowners.yml
+++ b/.github/workflows/codeowners.yml
@ -24,6 +24,9 @@ on:
  pull_request_target:
    types: [opened, ready_for_review, synchronize, reopened, edited]

+# We don't need any default GitHub token
+permissions: {}
+
 env:
  OWNERS_FILE: ci/OWNERS
  # Don't do anything on draft PRs
--- a/.github/workflows/editorconfig.yml
+++ b/.github/workflows/editorconfig.yml
@ -1,6 +1,8 @@
 name: "Checking EditorConfig"

-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read

 on:
  # avoids approving first time contributors
--- a/.github/workflows/manual-nixos.yml
+++ b/.github/workflows/manual-nixos.yml
@ -1,6 +1,7 @@
 name: "Build NixOS manual"

-permissions: read-all
+permissions:
+  contents: read

 on:
  pull_request_target:
--- a/.github/workflows/manual-nixpkgs.yml
+++ b/.github/workflows/manual-nixpkgs.yml
@ -1,6 +1,7 @@
 name: "Build Nixpkgs manual"

-permissions: read-all
+permissions:
+  contents: read

 on:
  pull_request_target:
--- a/.github/workflows/nix-parse.yml
+++ b/.github/workflows/nix-parse.yml
@ -1,6 +1,8 @@
 name: "Check whether nix files are parseable"

-permissions: read-all
+permissions:
+  pull-requests: read
+  contents: read

 on:
  # avoids approving first time contributors