From a68c17d876540fe6e8f1d65b41fd1053c82d7e57 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Tue, 27 Sep 2022 14:10:18 +0200
Subject: [PATCH] GitHub Workflows security hardening (#7629)

* build: harden push.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden deployment.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden pr.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/deployment.yml | 4 ++++
 .github/workflows/pr.yml         | 3 +++
 .github/workflows/push.yml       | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml
index ae8466d9f4..633357c68c 100644
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@@ -5,8 +5,12 @@ on:
     tags:
       - 'v*'
 
+permissions: {}
 jobs:
   deploy:
+    permissions:
+      contents: write # for release creation (svenstaro/upload-release-action)
+
     runs-on: ubuntu-latest
 
     steps:
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
index cb26450637..4cc2f6d88f 100644
--- a/.github/workflows/pr.yml
+++ b/.github/workflows/pr.yml
@@ -2,6 +2,9 @@ name: Pull Request Tests
 
 on: [pull_request, workflow_dispatch]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   testPR:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 1c6126996a..71a34cae6a 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -2,8 +2,12 @@ name: Tests
 
 on: [push, workflow_dispatch]
 
+permissions: {}
 jobs:
   runPush:
+    permissions:
+      contents: write # for Update bundles
+
     runs-on: ubuntu-latest
 
     steps: