feat: harden permissions for all github workflows

Signed-off-by: Joyce Brum <joycebrum@google.com> Reviewed By: tstellar Differential Revision: https://reviews.llvm.org/D144119
2024-11-23 22:00:10 +00:00 · 2023-03-03 21:34:25 -08:00 · 2023-03-03 21:34:25 -08:00 · 829b8912cd
commit 829b8912cd
parent c0b4ca107a
14 changed files with 51 additions and 0 deletions
--- a/.github/workflows/clang-tests.yml
+++ b/.github/workflows/clang-tests.yml
@ -1,5 +1,8 @@
 name: Clang Tests

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
  push:
--- a/.github/workflows/closed-issues.yml
+++ b/.github/workflows/closed-issues.yml
@ -3,8 +3,14 @@ on:
  issues:
    types: ['closed']

+permissions:
+  contents: read
+
 jobs:
  automate-issues-labels:
+    permissions:
+      issues: write  # for andymckay/labeler to label issues
+      pull-requests: write  # for andymckay/labeler to label PRs
    runs-on: ubuntu-latest
    if: github.repository == 'llvm/llvm-project'
    steps:
--- a/.github/workflows/issue-release-workflow.yml
+++ b/.github/workflows/issue-release-workflow.yml
@ -14,6 +14,9 @@

 name: Issue Release Workflow

+permissions:
+  contents: read
+
 on:
  issue_comment:
    types:
--- a/.github/workflows/issue-subscriber.yml
+++ b/.github/workflows/issue-subscriber.yml
@ -5,6 +5,9 @@ on:
    types:
      - labeled

+permissions:
+  contents: read
+
 jobs:
  auto-subscribe:
    runs-on: ubuntu-latest
--- a/.github/workflows/libclang-abi-tests.yml
+++ b/.github/workflows/libclang-abi-tests.yml
@ -1,5 +1,8 @@
 name: libclang ABI Tests

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
  push:
--- a/.github/workflows/libclc-tests.yml
+++ b/.github/workflows/libclc-tests.yml
@ -1,5 +1,8 @@
 name: libclc Tests

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
  push:
--- a/.github/workflows/lld-tests.yml
+++ b/.github/workflows/lld-tests.yml
@ -1,5 +1,8 @@
 name: LLD Tests

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
  push:
--- a/.github/workflows/lldb-tests.yml
+++ b/.github/workflows/lldb-tests.yml
@ -1,5 +1,8 @@
 name: lldb Tests

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
  push:
--- a/.github/workflows/llvm-bugs.yml
+++ b/.github/workflows/llvm-bugs.yml
@ -1,5 +1,9 @@
 name: LLVM Bugs notifier

+permissions:
+  contents: read
+  issues: read
+
 on:
  issues:
    types:
--- a/.github/workflows/llvm-project-tests.yml
+++ b/.github/workflows/llvm-project-tests.yml
@ -1,5 +1,8 @@
 name: LLVM Project Tests

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
    inputs:
--- a/.github/workflows/llvm-tests.yml
+++ b/.github/workflows/llvm-tests.yml
@ -1,5 +1,8 @@
 name: LLVM Tests

+permissions:
+  contents: read
+
 on:
  workflow_dispatch:
  push:
--- a/.github/workflows/new-issues.yml
+++ b/.github/workflows/new-issues.yml
@ -3,8 +3,14 @@ on:
  issues:
    types: ['opened']

+permissions:
+  contents: read
+
 jobs:
  automate-issues-labels:
+    permissions:
+      issues: write  # for andymckay/labeler to label issues
+      pull-requests: write  # for andymckay/labeler to label PRs
    runs-on: ubuntu-latest
    if: github.repository == 'llvm/llvm-project'
    steps:
--- a/.github/workflows/release-tasks.yml
+++ b/.github/workflows/release-tasks.yml
@ -1,5 +1,8 @@
 name: Release Task

+permissions:
+  contents: read
+
 on:
  push:
    tags:
@ -8,6 +11,8 @@ on:

 jobs:
  release-tasks:
+    permissions:
+      contents: write # To upload assets to release.
    runs-on: ubuntu-latest
    if: github.repository == 'llvm/llvm-project'
    steps:
--- a/.github/workflows/version-check.yml
+++ b/.github/workflows/version-check.yml
@ -8,6 +8,9 @@ on:
    branches:
      - 'release/**'

+permissions:
+  contents: read
+
 jobs:
  version_check:
    if: github.repository_owner == 'llvm'