[StepSecurity] ci: Harden GitHub Actions (#154)

2024-09-10 19:03:50 -07:00 · 2024-09-10 19:03:50 -07:00 · d1462fe483
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -22,13 +22,18 @@ on:
  schedule:
    - cron: '34 18 * * 6'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze (C/C++)
    runs-on: windows-latest
    timeout-minutes: 360
    permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
      packages: read

    steps:
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -20,6 +20,9 @@ on:
      - build/*.targets
      - build/*.yml

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -23,6 +23,9 @@ on:
 env:
  DIRECTXMESH_MEDIA_PATH: ${{ github.workspace }}/Media

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/vcpkg.yml
+++ b/.github/workflows/vcpkg.yml
@ -15,6 +15,9 @@ on:
      - LICENSE
      - build/*

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}