Make GHA permissions explicit and often narrower

This adds YAML in a number of places. Related documentation: - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions - https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28 To preserve clarity, this also reduces stylistic inconsistencies, and uses a slightly more spacious style where top-level keys in a job are separated by blank lines.
EliahKagan · Nov 9, 2024 · db5ecd7 · db5ecd7
1 parent 1df68e4
commit db5ecd7
Show file tree

Hide file tree

Showing 5 changed files with 91 additions and 30 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,9 +1,5 @@
 name: ci
 
-env:
-  CARGO_TERM_COLOR: always
-  CLICOLOR: 1
-
 on:
   push:
     branches:
@@ -17,10 +13,19 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
+env:
+  CARGO_TERM_COLOR: always
+  CLICOLOR: 1
+
 jobs:
   pure-rust-build:
     runs-on: ubuntu-latest
+
     container: debian:bookworm
+
     steps:
       - uses: actions/checkout@v4
       - name: Prerequisites
@@ -32,6 +37,7 @@ jobs:
 
   test:
     runs-on: ubuntu-latest
+
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
@@ -56,7 +62,9 @@ jobs:
           - windows-latest
           - macos-latest
           - ubuntu-latest
+
     runs-on: ${{ matrix.os }}
+
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
@@ -82,6 +90,7 @@ jobs:
 
   test-fixtures-windows:
     runs-on: windows-latest
+
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
@@ -118,9 +127,11 @@ jobs:
 
   test-32bit:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         target: [ armv7-linux-androideabi ]
+
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@stable
@@ -142,6 +153,7 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
+
     steps:
       - uses: actions/checkout@v4
       - uses: dtolnay/rust-toolchain@master
@@ -166,6 +178,7 @@ jobs:
 
   cargo-deny:
     runs-on: ubuntu-latest
+
     strategy:
       matrix:
         checks:
@@ -183,11 +196,15 @@ jobs:
 
   wasm:
     name: WebAssembly
+
     runs-on: ubuntu-latest
+
     continue-on-error: true
+
     strategy:
       matrix:
         target: [ wasm32-unknown-unknown, wasm32-wasi ]
+
     steps:
       - uses: actions/checkout@master
       - name: Install Rust
@@ -215,10 +232,13 @@ jobs:
           # However, when changes are made to `etc/copy-packetline.sh`, re-enable the other platforms for testing.
     #       - macos-latest
     #       - windows-latest
+
     runs-on: ${{ matrix.os }}
+
     defaults:
       run:
         shell: bash
+
     steps:
       - uses: actions/checkout@v4
       - name: Check that working tree is initially clean
@@ -237,6 +257,7 @@ jobs:
   # Dummy job to have a stable name for the "all tests pass" requirement
   tests-pass:
     name: Tests pass
+
     needs:
       - pure-rust-build
       - test
@@ -246,8 +267,11 @@ jobs:
       - cargo-deny
       - wasm
       - check-packetline
+
     if: always() # always run even if dependencies fail
+
     runs-on: ubuntu-latest
+
     steps:
       # fail if ANY dependency has failed or cancelled
       - if: "contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')"

diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -1,4 +1,5 @@
 name: CIFuzz
+
 on:
   pull_request:
     branches:
@@ -14,25 +15,33 @@ on:
       - '*.toml'
       - Makefile
   workflow_dispatch:
+
 jobs:
- Fuzzing:
-   runs-on: ubuntu-latest
-   steps:
-   - name: Build Fuzzers
-     id: build
-     uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-     with:
-       oss-fuzz-project-name: 'gitoxide'
-       language: rust
-   - name: Run Fuzzers
-     uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-     with:
-       oss-fuzz-project-name: 'gitoxide'
-       language: rust
-       fuzz-seconds: 600
-   - name: Upload Crash
-     uses: actions/upload-artifact@v4
-     if: failure() && steps.build.outcome == 'success'
-     with:
-       name: artifacts
-       path: ./out/artifacts
+  Fuzzing:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      actions: write
+
+    steps:
+    - name: Build Fuzzers
+      id: build
+      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'gitoxide'
+        language: rust
+
+    - name: Run Fuzzers
+      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
+      with:
+        oss-fuzz-project-name: 'gitoxide'
+        language: rust
+        fuzz-seconds: 600
+
+    - name: Upload Crash
+      uses: actions/upload-artifact@v4
+      if: failure() && steps.build.outcome == 'success'
+      with:
+        name: artifacts
+        path: ./out/artifacts
diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml
@@ -1,15 +1,19 @@
 name: cron
 
 on:
-  schedule: 
+  schedule:
     - cron: '0 13,1 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   stress:
     runs-on: ubuntu-latest
+
     steps:
-    - uses: actions/checkout@v4
-    - uses: Swatinem/rust-cache@v2
-    - name: stress
-      run: make stress
+      - uses: actions/checkout@v4
+      - uses: Swatinem/rust-cache@v2
+      - name: stress
+        run: make stress
diff --git a/.github/workflows/msrv.yml b/.github/workflows/msrv.yml
@@ -13,19 +13,26 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check-msrv:
     name: cargo check MSRV
+
     strategy:
       matrix:
         os:
           - windows-2022
           - ubuntu-latest
+
     runs-on: ${{ matrix.os }}
+
     env:
       # dictated by `firefox` to support the `helix` editor, but now probably effectively be controlled by `jiff`, which also aligns with `regex`.
       # IMPORTANT: adjust etc/msrv-badge.svg as well
       rust_version: 1.74.0
+
     steps:
       - uses: actions/checkout@v4
       - uses: extractions/setup-just@v2

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,6 +12,9 @@ on:
       - 'v*'
   workflow_dispatch:
 
+permissions:
+  contents: read  # Set more permissively in jobs that need `write`.
+
 defaults:
   run:
     shell: bash
@@ -21,6 +24,9 @@ jobs:
   create-release:
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+
 #    env:
 #      # Set to force version number, e.g., when no tag exists.
 #      VERSION: TEST-0.0.0
@@ -204,6 +210,9 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: write
+
     env:
       RUST_BACKTRACE: '1'  # Emit backtraces on panics.
       CARGO_TERM_COLOR: always
@@ -295,6 +304,9 @@ jobs:
         # These features need to be exactly the same as the features in build-release.
         feature: [ small, lean, max, max-pure ]
 
+    permissions:
+      contents: write
+
     env:
       BASH_ENV: ./helpers.sh
       REPOSITORY: ${{ github.repository }}
@@ -354,6 +366,9 @@ jobs:
 
     needs: [ create-release, build-release, build-macos-universal2-release ]
 
+    permissions:
+      contents: write
+
     env:
       REPOSITORY: ${{ github.repository }}
       VERSION: ${{ needs.create-release.outputs.version }}
@@ -435,7 +450,9 @@ jobs:
             os: windows-latest
             rust: stable
             target: i686-pc-windows-gnu
+
     runs-on: ${{ matrix.os }}
+
     steps:
       - uses: actions/checkout@v4
       - name: Install Rust