[StepSecurity] ci: Harden GitHub Actions (#507)

2024-09-10 19:03:12 -07:00 · 2024-09-10 19:03:12 -07:00 · 3dc7ec1e82
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -23,13 +23,18 @@ on:
  schedule:
    - cron: '43 3 * * 3'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze (C/C++)
    runs-on: windows-latest
    timeout-minutes: 360
    permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
      packages: read

    steps:
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -21,6 +21,9 @@ on:
      - build/*.targets
      - build/*.yml

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -24,6 +24,9 @@ on:
 env:
  DIRECTXTEX_MEDIA_PATH: ${{ github.workspace }}/Media

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/vcpkg.yml
+++ b/.github/workflows/vcpkg.yml
@ -15,6 +15,9 @@ on:
      - LICENSE
      - build/*

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}