[StepSecurity] ci: Harden GitHub Actions (#171)

2024-09-10 19:05:06 -07:00 · 2024-09-10 19:05:06 -07:00 · 7d6ec8875c
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -21,13 +21,18 @@ on:
  schedule:
    - cron: '19 19 * * 0'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze (C/C++)
    runs-on: windows-latest
    timeout-minutes: 360
    permissions:
-      security-events: write
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
      packages: read

    steps:
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -19,6 +19,9 @@ on:
      - build/*.ps1
      - build/*.yml

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -23,6 +23,9 @@ env:
  DIRECTXMESH_MEDIA_PATH: ${{ github.workspace }}/Media
  DIRECTXTEX_MEDIA_PATH: ${{ github.workspace }}/Media

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
--- a/.github/workflows/vcpkg.yml
+++ b/.github/workflows/vcpkg.yml
@ -15,6 +15,9 @@ on:
      - LICENSE
      - build/*

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}