Set permissions for workflows to follow a good security practice. (#300)

Having workflows without setting the permission for the workflow is considered a bad security practice and it is causing alerts from our scanning tools. Co-authored-by: Jonas Sander <[email protected]>
SharezoneApp · Sep 28, 2022 · 9fcbee0 · 9fcbee0
1 parent af01329
commit 9fcbee0
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 2 deletions.
diff --git a/.github/workflows/alpha.yml b/.github/workflows/alpha.yml
@@ -29,6 +29,11 @@ on:
 env:
   CI_CD_DART_SCRIPTS_PACKAGE_PATH: "tools/sz_repo_cli/"
 
+# Set permissions to none.
+#
+# Using the broad default permissions is considered a bad security practice 
+# and would cause alerts from our scanning tools.
+permissions: {}
 jobs:
   deploy-alpha-web-app:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -21,6 +21,12 @@ on:
 env:
   CI_CD_DART_SCRIPTS_PACKAGE_PATH: "tools/sz_repo_cli/"
 
+# Set permissions to none.
+#
+# Using the broad default permissions is considered a bad security practice 
+# and would cause alerts from our scanning tools.
+permissions: {}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   analyze:
@@ -154,6 +160,9 @@ jobs:
   # 4. Adjust website restrictions for Firebase Key "Sharezone Web Key".
   web-preview:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # for FirebaseExtended/action-hosting-deploy to comment on PRs
+      checks: write # for FirebaseExtended/action-hosting-deploy to comment on PRs (without write permissions for checks the action doesn't post a comment to the PR, we don't know why)
     steps:
       - uses: actions/checkout@v2
 
@@ -172,8 +181,8 @@ jobs:
       - name: Deploy to Firebase Hosting (sharezone-debug)
         uses: FirebaseExtended/action-hosting-deploy@v0
         with:
-          repoToken: '${{ secrets.GITHUB_TOKEN }}'
-          firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_SHAREZONE_DEBUG }}'
+          repoToken: ${{ secrets.GITHUB_TOKEN }}
+          firebaseServiceAccount: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_SHAREZONE_DEBUG }}
           projectId: sharezone-debug
           entryPoint: "./app"
           expires: '7d'