Make GHA permissions explicit and often narrower

EliahKagan · EliahKagan · commit f41a58cb0c0a · 2024-11-10T16:17:19.000-05:00
This adds `permissions` keys at workflow or job level in a number of places, usually specifying minimal required permissions. When a `permissions` key contains at least one subkey setting some permission (in any way), all permissions it does not have subkeys for are treated as if they were present with a value of `none`. This relies on that rather than listing all unneeded permissions everywhere with `none`. So most `permissions` added here have only `contents: read`, and: - The only place where `none` is specified explicitly is in the CIFuzz workflow, where no permissions (of those controllable through `permissions`) are needed. - The only place any `write` permissions are specified are `contents: write` in the jobs of the release workflow that need it. All jobs involved in preparing a release currently have at least one step that requires this. But `contents: read` is still applied at the workflow level, because the `installation` job (which tests installing) does not need any `write` permissions. Note that some jobs that don't have any write permissions of the kind that is controlled under a `permissions` key do still perform writes to data accessible outside of their run: caching (including creating new caches), and uploading artifacts, still works. Relevant documentation: - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions - https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -13,6 +13,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   CARGO_TERM_COLOR: always
   CLICOLOR: 1
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -20,6 +20,9 @@ jobs:
   Fuzzing:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: none  # The fuzzing actions don't use our github.token at all.
+
     steps:
       - name: Build Fuzzers
         id: build
diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml
@@ -5,6 +5,9 @@ on:
     - cron: '0 13,1 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   stress:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/msrv.yml b/.github/workflows/msrv.yml
@@ -13,6 +13,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-msrv:
     name: cargo check MSRV
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions:
+  contents: read  # Set more permissively in jobs that need `write`.
+
 defaults:
   run:
     shell: bash
@@ -21,6 +24,9 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
 #    env:
 #      # Set to force version number, e.g., when no tag exists.
 #      VERSION: TEST-0.0.0
@@ -204,6 +210,9 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: write
+
     env:
       RUST_BACKTRACE: '1'  # Emit backtraces on panics.
       CARGO_TERM_COLOR: always
@@ -295,6 +304,9 @@ jobs:
         # These features need to be exactly the same as the features in build-release.
         feature: [ small, lean, max, max-pure ]
 
+    permissions:
+      contents: write
+
     env:
       BASH_ENV: ./helpers.sh
       REPOSITORY: ${{ github.repository }}
@@ -354,6 +366,9 @@ jobs:
 
     needs: [ create-release, build-release, build-macos-universal2-release ]
 
+    permissions:
+      contents: write
+
     env:
       REPOSITORY: ${{ github.repository }}
       VERSION: ${{ needs.create-release.outputs.version }}
