From c9a149349ab3bd39f894552a8a377c2ecb8f41e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Cab=C3=A9?= Date: Tue, 18 Mar 2025 12:26:54 +0100 Subject: [PATCH] ci: Update GitHub Actions workflows to follow principle of least privilege MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Default to `permissions: read-all` in all workflows and then add additional permissions as needed at the job level Signed-off-by: Benjamin Cabé --- .github/workflows/assigner.yml | 6 ++++++ .github/workflows/backport.yml | 7 +++++++ .github/workflows/backport_issue_check.yml | 5 +++++ .github/workflows/bsim-tests-publish.yaml | 6 ++++++ .github/workflows/bsim-tests.yaml | 6 ++++++ .github/workflows/bug_snapshot.yaml | 3 +++ .github/workflows/codecov.yaml | 3 +++ .github/workflows/coding_guidelines.yml | 3 +++ .github/workflows/compliance.yml | 3 +++ .github/workflows/daily_test_version.yml | 3 +++ .github/workflows/devicetree_checks.yml | 3 +++ .github/workflows/do_not_merge.yml | 3 +++ .github/workflows/doc-build.yml | 3 +++ .github/workflows/doc-publish-pr.yml | 3 +++ .github/workflows/doc-publish.yml | 3 +++ .github/workflows/errno.yml | 3 +++ .github/workflows/footprint-tracking.yml | 3 +++ .github/workflows/greet_first_time_contributor.yml | 6 ++++++ .github/workflows/hello_world_multiplatform.yaml | 3 +++ .github/workflows/issue_count.yml | 3 +++ .github/workflows/license_check.yml | 3 +++ .github/workflows/manifest.yml | 5 +++++ .github/workflows/pylib_tests.yml | 3 +++ .github/workflows/ready-to-merge.yml | 3 +++ .github/workflows/release.yml | 5 +++++ .github/workflows/scripts_tests.yml | 3 +++ .github/workflows/stale-workflow-queue-cleanup.yml | 5 +++++ .github/workflows/stale_issue.yml | 7 +++++++ .github/workflows/stats_merged_prs.yml | 4 ++++ .github/workflows/twister-prep.yaml | 3 +++ .github/workflows/twister-publish.yaml | 3 +++ .github/workflows/twister.yaml | 5 +++++ .github/workflows/twister_tests.yml | 3 +++ .github/workflows/twister_tests_blackbox.yml | 3 +++ .github/workflows/west_cmds.yml | 5 ++++- 35 files changed, 137 insertions(+), 1 deletion(-) diff --git a/.github/workflows/assigner.yml b/.github/workflows/assigner.yml index aab157ce790..c9bfec1b332 100644 --- a/.github/workflows/assigner.yml +++ b/.github/workflows/assigner.yml @@ -15,11 +15,17 @@ on: types: - labeled +permissions: + contents: read + jobs: assignment: name: Pull Request Assignment if: github.event.pull_request.draft == false runs-on: ubuntu-22.04 + permissions: + pull-requests: write # to add assignees to pull requests + issues: write # to add assignees to issues steps: - name: Install Python dependencies diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index d02487a2bab..969e39c2a62 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -7,10 +7,17 @@ on: branches: - main +permissions: + contents: read + jobs: backport: name: Backport runs-on: ubuntu-22.04 + permissions: + contents: write # to create/push backport branches + pull-requests: write # to create backport PRs + issues: write # to add labels to issue created if backport fails # Only react to merged PRs for security reasons. # See https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target. if: > diff --git a/.github/workflows/backport_issue_check.yml b/.github/workflows/backport_issue_check.yml index 32270f16176..71c580c0ec0 100644 --- a/.github/workflows/backport_issue_check.yml +++ b/.github/workflows/backport_issue_check.yml @@ -10,6 +10,9 @@ on: branches: - v*-branch +permissions: + contents: read + jobs: backport: name: Backport Issue Check @@ -18,6 +21,8 @@ jobs: cancel-in-progress: true runs-on: ubuntu-22.04 if: github.repository == 'zephyrproject-rtos/zephyr' + permissions: + issues: read # to check if associated issue exists for backport steps: - name: Check out source code diff --git a/.github/workflows/bsim-tests-publish.yaml b/.github/workflows/bsim-tests-publish.yaml index b9c5fc60f31..455cea4031d 100644 --- a/.github/workflows/bsim-tests-publish.yaml +++ b/.github/workflows/bsim-tests-publish.yaml @@ -5,11 +5,17 @@ on: workflows: ["BabbleSim Tests"] types: - completed + +permissions: + contents: read + jobs: bsim-test-results: name: "Publish BabbleSim Test Results" runs-on: ubuntu-22.04 if: github.event.workflow_run.conclusion != 'skipped' + permissions: + checks: write # to create the check run entry with test results steps: - name: Download artifacts diff --git a/.github/workflows/bsim-tests.yaml b/.github/workflows/bsim-tests.yaml index e4dbc99a7e9..6034fe7c47b 100644 --- a/.github/workflows/bsim-tests.yaml +++ b/.github/workflows/bsim-tests.yaml @@ -28,6 +28,9 @@ on: - "drivers/serial/*nrfx*" - "tests/drivers/uart/**" +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true @@ -45,6 +48,9 @@ jobs: BSIM_OUT_PATH: /opt/bsim/ BSIM_COMPONENTS_PATH: /opt/bsim/components EDTT_PATH: ../tools/edtt + permissions: + checks: write # to create the check run entry with test results + steps: - name: Apply container owner mismatch workaround run: | diff --git a/.github/workflows/bug_snapshot.yaml b/.github/workflows/bug_snapshot.yaml index 11a07ab6567..0825de5ae97 100644 --- a/.github/workflows/bug_snapshot.yaml +++ b/.github/workflows/bug_snapshot.yaml @@ -13,6 +13,9 @@ on: # Run daily at 14:05 - cron: '5 14 * * *' +permissions: + contents: read + jobs: make_bugs_pickle: name: Make bugs pickle diff --git a/.github/workflows/codecov.yaml b/.github/workflows/codecov.yaml index 3bce971a094..2f763153fed 100644 --- a/.github/workflows/codecov.yaml +++ b/.github/workflows/codecov.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: '25 06,18 * * *' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/coding_guidelines.yml b/.github/workflows/coding_guidelines.yml index f4f4fdeeef0..e720d73611e 100644 --- a/.github/workflows/coding_guidelines.yml +++ b/.github/workflows/coding_guidelines.yml @@ -2,6 +2,9 @@ name: Coding Guidelines on: pull_request +permissions: + contents: read + jobs: compliance_job: runs-on: ubuntu-22.04 diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 7f27f6c0aa1..559e315d587 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -8,6 +8,9 @@ on: - reopened - synchronize +permissions: + contents: read + jobs: check_compliance: runs-on: ubuntu-22.04 diff --git a/.github/workflows/daily_test_version.yml b/.github/workflows/daily_test_version.yml index 5fa69ca4ff1..4b26800c538 100644 --- a/.github/workflows/daily_test_version.yml +++ b/.github/workflows/daily_test_version.yml @@ -10,6 +10,9 @@ on: branches: - refs/tags/* +permissions: + contents: read + jobs: get_version: runs-on: ubuntu-22.04 diff --git a/.github/workflows/devicetree_checks.yml b/.github/workflows/devicetree_checks.yml index 06347ce1c25..30d43a45f6a 100644 --- a/.github/workflows/devicetree_checks.yml +++ b/.github/workflows/devicetree_checks.yml @@ -20,6 +20,9 @@ on: - 'scripts/dts/**' - '.github/workflows/devicetree_checks.yml' +permissions: + contents: read + jobs: devicetree-checks: name: Devicetree script tests diff --git a/.github/workflows/do_not_merge.yml b/.github/workflows/do_not_merge.yml index 8d90efa981d..39275a03f11 100644 --- a/.github/workflows/do_not_merge.yml +++ b/.github/workflows/do_not_merge.yml @@ -4,6 +4,9 @@ on: pull_request: types: [synchronize, opened, reopened, labeled, unlabeled] +permissions: + contents: read + jobs: do-not-merge: name: Prevent Merging diff --git a/.github/workflows/doc-build.yml b/.github/workflows/doc-build.yml index aff05f79287..89b0118f7e1 100644 --- a/.github/workflows/doc-build.yml +++ b/.github/workflows/doc-build.yml @@ -11,6 +11,9 @@ on: - v* pull_request: +permissions: + contents: read + env: # NOTE: west docstrings will be extracted from the version listed here WEST_VERSION: 1.2.0 diff --git a/.github/workflows/doc-publish-pr.yml b/.github/workflows/doc-publish-pr.yml index 445283e3b9c..f78f75a1451 100644 --- a/.github/workflows/doc-publish-pr.yml +++ b/.github/workflows/doc-publish-pr.yml @@ -10,6 +10,9 @@ on: types: - completed +permissions: + contents: read + jobs: doc-publish: name: Publish Documentation diff --git a/.github/workflows/doc-publish.yml b/.github/workflows/doc-publish.yml index 21c18ad5d64..e55ea5025e2 100644 --- a/.github/workflows/doc-publish.yml +++ b/.github/workflows/doc-publish.yml @@ -13,6 +13,9 @@ on: types: - completed +permissions: + contents: read + jobs: doc-publish: name: Publish Documentation diff --git a/.github/workflows/errno.yml b/.github/workflows/errno.yml index 105f3f58ce4..b37310a70ec 100644 --- a/.github/workflows/errno.yml +++ b/.github/workflows/errno.yml @@ -6,6 +6,9 @@ on: - 'lib/libc/minimal/include/errno.h' - 'scripts/ci/errno.py' +permissions: + contents: read + jobs: check-errno: runs-on: ubuntu-22.04 diff --git a/.github/workflows/footprint-tracking.yml b/.github/workflows/footprint-tracking.yml index 1b37c387786..5a2802aab02 100644 --- a/.github/workflows/footprint-tracking.yml +++ b/.github/workflows/footprint-tracking.yml @@ -16,6 +16,9 @@ on: # same commit - 'v*' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/greet_first_time_contributor.yml b/.github/workflows/greet_first_time_contributor.yml index 99ca77adf5a..176b7bfe7a7 100644 --- a/.github/workflows/greet_first_time_contributor.yml +++ b/.github/workflows/greet_first_time_contributor.yml @@ -6,10 +6,16 @@ on: pull_request_target: types: [opened, closed] +permissions: + contents: read + jobs: check_for_first_interaction: runs-on: ubuntu-22.04 if: github.repository == 'zephyrproject-rtos/zephyr' + permissions: + pull-requests: write # to comment on pull requests + issues: write # to comment on issues steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/hello_world_multiplatform.yaml b/.github/workflows/hello_world_multiplatform.yaml index bd4f7484c24..ee61f993bc0 100644 --- a/.github/workflows/hello_world_multiplatform.yaml +++ b/.github/workflows/hello_world_multiplatform.yaml @@ -16,6 +16,9 @@ on: - '.github/workflows/hello_world_multiplatform.yaml' - 'SDK_VERSION' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/issue_count.yml b/.github/workflows/issue_count.yml index 8bc2dfe67d2..61535c000b0 100644 --- a/.github/workflows/issue_count.yml +++ b/.github/workflows/issue_count.yml @@ -4,6 +4,9 @@ on: schedule: - cron: '*/10 * * * *' +permissions: + contents: read + env: OUTPUT_FILE_NAME: IssuesReport.md COMMITTER_EMAIL: actions@github.com diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index d8e0ec0a4c6..916e74f2114 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -2,6 +2,9 @@ name: Scancode on: [pull_request] +permissions: + contents: read + jobs: scancode_job: runs-on: ubuntu-22.04 diff --git a/.github/workflows/manifest.yml b/.github/workflows/manifest.yml index 4d5129cddfc..c04209a3119 100644 --- a/.github/workflows/manifest.yml +++ b/.github/workflows/manifest.yml @@ -2,9 +2,14 @@ name: Manifest on: pull_request_target: +permissions: + contents: read + jobs: contribs: runs-on: ubuntu-22.04 + permissions: + pull-requests: write # to create/update pull request comments name: Manifest steps: - name: Checkout the code diff --git a/.github/workflows/pylib_tests.yml b/.github/workflows/pylib_tests.yml index 2a88bf347e7..5c9c3ef6d02 100644 --- a/.github/workflows/pylib_tests.yml +++ b/.github/workflows/pylib_tests.yml @@ -19,6 +19,9 @@ on: - 'scripts/pylib/build_helpers/**' - '.github/workflows/pylib_tests.yml' +permissions: + contents: read + jobs: pylib-tests: name: Misc. Pylib Unit Tests diff --git a/.github/workflows/ready-to-merge.yml b/.github/workflows/ready-to-merge.yml index 897a6044522..01f08e8a4b6 100644 --- a/.github/workflows/ready-to-merge.yml +++ b/.github/workflows/ready-to-merge.yml @@ -7,6 +7,9 @@ on: type: string required: true +permissions: + contents: read + jobs: all_jobs_passed: name: all jobs passed diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3c9b2525a76..9cf41422deb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,9 +6,14 @@ on: - 'v*' - '!v*rc*' +permissions: + contents: read + jobs: release: runs-on: ubuntu-22.04 + permissions: + contents: write # to create GitHub release entry steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/scripts_tests.yml b/.github/workflows/scripts_tests.yml index fa2a672075c..9e72b01f345 100644 --- a/.github/workflows/scripts_tests.yml +++ b/.github/workflows/scripts_tests.yml @@ -19,6 +19,9 @@ on: - 'scripts/build/**' - '.github/workflows/scripts_tests.yml' +permissions: + contents: read + jobs: scripts-tests: name: Scripts tests diff --git a/.github/workflows/stale-workflow-queue-cleanup.yml b/.github/workflows/stale-workflow-queue-cleanup.yml index ba1e06fe6b2..8dc9b1ed502 100644 --- a/.github/workflows/stale-workflow-queue-cleanup.yml +++ b/.github/workflows/stale-workflow-queue-cleanup.yml @@ -7,6 +7,9 @@ on: # everyday at 15:00 - cron: '0 15 * * *' +permissions: + contents: read + concurrency: group: stale-workflow-queue-cleanup cancel-in-progress: true @@ -15,6 +18,8 @@ jobs: cleanup: name: Cleanup runs-on: ubuntu-22.04 + permissions: + actions: write # to delete stale workflow runs steps: - name: Delete stale queued workflow runs diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml index febf9ef3983..fa7889e9aa5 100644 --- a/.github/workflows/stale_issue.yml +++ b/.github/workflows/stale_issue.yml @@ -3,11 +3,18 @@ on: schedule: - cron: "16 00 * * *" +permissions: + contents: read + jobs: stale: name: Find Stale issues and PRs runs-on: ubuntu-22.04 if: github.repository == 'zephyrproject-rtos/zephyr' + permissions: + pull-requests: write # to comment on stale pull requests + issues: write # to comment on stale issues + steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: diff --git a/.github/workflows/stats_merged_prs.yml b/.github/workflows/stats_merged_prs.yml index 6ec8a1a4379..08f0f63e7ed 100644 --- a/.github/workflows/stats_merged_prs.yml +++ b/.github/workflows/stats_merged_prs.yml @@ -6,6 +6,10 @@ on: - main - v*-branch types: [closed] + +permissions: + contents: read + jobs: record_merged: if: github.event.pull_request.merged == true && github.repository == 'zephyrproject-rtos/zephyr' diff --git a/.github/workflows/twister-prep.yaml b/.github/workflows/twister-prep.yaml index f913697a8c7..5ea135ddde4 100644 --- a/.github/workflows/twister-prep.yaml +++ b/.github/workflows/twister-prep.yaml @@ -13,6 +13,9 @@ on: description: fullrun value: ${{ jobs.prep_push.outputs.fullrun != '' && jobs.prep_push.outputs.fullrun || jobs.prep_pr.outputs.size }} +permissions: + contents: read + jobs: prep_pr: if: github.repository_owner == 'zephyrproject-rtos' && github.event_name == 'pull_request_target' diff --git a/.github/workflows/twister-publish.yaml b/.github/workflows/twister-publish.yaml index a87f48f78ce..63433d7569b 100644 --- a/.github/workflows/twister-publish.yaml +++ b/.github/workflows/twister-publish.yaml @@ -8,6 +8,9 @@ on: types: - completed +permissions: + contents: read + jobs: upload-to-elasticsearch: if: | diff --git a/.github/workflows/twister.yaml b/.github/workflows/twister.yaml index 07ae039ad07..04f687888b2 100644 --- a/.github/workflows/twister.yaml +++ b/.github/workflows/twister.yaml @@ -15,6 +15,9 @@ on: # Run at 17:00 UTC on every Saturday - cron: '0 17 * * 6' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.head_ref || github.ref }} cancel-in-progress: true @@ -213,6 +216,8 @@ jobs: needs: - twister-build runs-on: ubuntu-22.04 + permissions: + checks: write # to create the check run entry with Twister test results # the build-and-test job might be skipped, we don't need to run this job then if: success() || failure() diff --git a/.github/workflows/twister_tests.yml b/.github/workflows/twister_tests.yml index 4ce5c700d83..a1b410681d2 100644 --- a/.github/workflows/twister_tests.yml +++ b/.github/workflows/twister_tests.yml @@ -26,6 +26,9 @@ on: - '.github/workflows/twister_tests.yml' - 'scripts/schemas/twister/' +permissions: + contents: read + jobs: twister-tests: name: Twister Unit Tests diff --git a/.github/workflows/twister_tests_blackbox.yml b/.github/workflows/twister_tests_blackbox.yml index b72944bce95..3e2036b4ea7 100644 --- a/.github/workflows/twister_tests_blackbox.yml +++ b/.github/workflows/twister_tests_blackbox.yml @@ -15,6 +15,9 @@ on: - 'scripts/tests/twister_blackbox/**' - '.github/workflows/twister_tests_blackbox.yml' +permissions: + contents: read + jobs: twister-tests: name: Twister Black Box Tests diff --git a/.github/workflows/west_cmds.yml b/.github/workflows/west_cmds.yml index bb4dc8ddda8..665ae468980 100644 --- a/.github/workflows/west_cmds.yml +++ b/.github/workflows/west_cmds.yml @@ -23,8 +23,11 @@ on: - 'scripts/west_commands/**' - '.github/workflows/west_cmds.yml' +permissions: + contents: read + jobs: - west-commnads: + west-commands: name: West Command Tests runs-on: ${{ matrix.os }} strategy: