From 9fcbee0c8b1d72475914aa81bb65dc50fa574f89 Mon Sep 17 00:00:00 2001
From: Nils Reichardt <me@nils.re>
Date: Thu, 29 Sep 2022 00:51:48 +0200
Subject: [PATCH] Set permissions for workflows to follow a good security
 practice. (#300)

Having workflows without setting the permission for the workflow is
considered a bad security practice and it is causing alerts from our
scanning tools.

Co-authored-by: Jonas Sander <29028262+Jonas-Sander@users.noreply.github.com>
---
 .github/workflows/alpha.yml |  5 +++++
 .github/workflows/main.yml  | 13 +++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/alpha.yml b/.github/workflows/alpha.yml
index 28cdd8fe2..33d72e34e 100644
--- a/.github/workflows/alpha.yml
+++ b/.github/workflows/alpha.yml
@@ -29,6 +29,11 @@ on:
 env:
   CI_CD_DART_SCRIPTS_PACKAGE_PATH: "tools/sz_repo_cli/"
 
+# Set permissions to none.
+#
+# Using the broad default permissions is considered a bad security practice 
+# and would cause alerts from our scanning tools.
+permissions: {}
 jobs:
   deploy-alpha-web-app:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index a991a1aa8..215d52e5e 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,6 +21,12 @@ on:
 env:
   CI_CD_DART_SCRIPTS_PACKAGE_PATH: "tools/sz_repo_cli/"
 
+# Set permissions to none.
+#
+# Using the broad default permissions is considered a bad security practice 
+# and would cause alerts from our scanning tools.
+permissions: {}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   analyze:
@@ -154,6 +160,9 @@ jobs:
   # 4. Adjust website restrictions for Firebase Key "Sharezone Web Key".
   web-preview:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write # for FirebaseExtended/action-hosting-deploy to comment on PRs
+      checks: write # for FirebaseExtended/action-hosting-deploy to comment on PRs (without write permissions for checks the action doesn't post a comment to the PR, we don't know why)
     steps:
       - uses: actions/checkout@v2
 
@@ -172,8 +181,8 @@ jobs:
       - name: Deploy to Firebase Hosting (sharezone-debug)
         uses: FirebaseExtended/action-hosting-deploy@v0
         with:
-          repoToken: '${{ secrets.GITHUB_TOKEN }}'
-          firebaseServiceAccount: '${{ secrets.FIREBASE_SERVICE_ACCOUNT_SHAREZONE_DEBUG }}'
+          repoToken: ${{ secrets.GITHUB_TOKEN }}
+          firebaseServiceAccount: ${{ secrets.FIREBASE_SERVICE_ACCOUNT_SHAREZONE_DEBUG }}
           projectId: sharezone-debug
           entryPoint: "./app"
           expires: '7d'