From 3dc7ec1e82a906b7699700ddb49e330044039d5b Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 10 Sep 2024 19:03:12 -0700 Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#507) --- .github/workflows/codeql.yml | 7 ++++++- .github/workflows/main.yml | 3 +++ .github/workflows/test.yml | 3 +++ .github/workflows/vcpkg.yml | 3 +++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a05a2df5..b159d884 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,13 +23,18 @@ on: schedule: - cron: '43 3 * * 3' +permissions: + contents: read + jobs: analyze: name: Analyze (C/C++) runs-on: windows-latest timeout-minutes: 360 permissions: - security-events: write + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report packages: read steps: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9af1d23b..5c399e15 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -21,6 +21,9 @@ on: - build/*.targets - build/*.yml +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 93b56895..d8710d3f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,6 +24,9 @@ on: env: DIRECTXTEX_MEDIA_PATH: ${{ github.workspace }}/Media +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/vcpkg.yml b/.github/workflows/vcpkg.yml index 973548f1..c0bba6b1 100644 --- a/.github/workflows/vcpkg.yml +++ b/.github/workflows/vcpkg.yml @@ -15,6 +15,9 @@ on: - LICENSE - build/* +permissions: + contents: read + jobs: build: runs-on: ${{ matrix.os }}