From 45c8b67cdb7ef96852081c476f0d8dba568e9d57 Mon Sep 17 00:00:00 2001
From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
Date: Fri, 15 Apr 2022 14:51:52 +0000
Subject: [PATCH] Set permissions for GitHub actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)

 Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 .github/workflows/ci.yml           | 5 +++++
 .github/workflows/post-release.yml | 5 +++++
 .github/workflows/rust-next.yml    | 3 +++
 .github/workflows/spelling.yml     | 3 +++
 4 files changed, 16 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4e106e3bf6f..424d2e64303 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,8 +5,13 @@ on:
     branches: [master]
   schedule:
   - cron: '3 3 3 * *'
+permissions:
+  contents: read
+
 jobs:
   ci:
+    permissions:
+      contents: none
     name: CI
     needs: [test, check, docs, rustfmt, clippy]
     runs-on: ubuntu-latest
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
index ee516150504..e7334fe13fa 100644
--- a/.github/workflows/post-release.yml
+++ b/.github/workflows/post-release.yml
@@ -3,8 +3,13 @@ on:
   push:
     tags:
     - "v*"
+permissions:
+  contents: read
+
 jobs:
   create-release:
+    permissions:
+      contents: write  # for actions/create-release to create a release
     name: create-release
     runs-on: ubuntu-latest
     outputs:
diff --git a/.github/workflows/rust-next.yml b/.github/workflows/rust-next.yml
index 50a46298721..d3866f2d123 100644
--- a/.github/workflows/rust-next.yml
+++ b/.github/workflows/rust-next.yml
@@ -2,6 +2,9 @@ name: rust-next
 on:
   schedule:
   - cron: '3 3 3 * *'
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index 8d296517ff7..3eac2073941 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -1,6 +1,9 @@
 name: Spelling
 on: [pull_request]
 
+permissions:
+  contents: read
+
 jobs:
   spelling:
     name: Spell Check with Typos