ci: Restrict content permissions to harden GitHub Actions (#2484)

* Restrict content permissions to read. At the moment there are no steps to the changed workflows that use tokens, and so this is preventative if this ever changes. * Give packages write permissions to publish to ghcr. - Amends PR #2483.
scikit-hep · May 25, 2024 · 42cd129 · 42cd129
1 parent cdd404a
commit 42cd129
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -25,6 +25,9 @@ permissions:
 jobs:
   docker:
     name: Build, test, and publish Docker images to Docker Hub
+    permissions:
+      contents: read
+      packages: write  # for docker to push to registry
     runs-on: ubuntu-latest
 
     steps:

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -11,6 +11,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build docs

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -8,6 +8,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint: