Harden workflows security

Signed-off-by: Alex <aleksandrosansan@gmail.com>
author: sashashura <aleksandrosansan@gmail.com> 2022-10-04 08:58:26 +0300
committer: sashashura <aleksandrosansan@gmail.com> 2022-10-04 08:58:26 +0300
commit: af330add38957e94275124d6f8b40da70bdea02f (patch)
tree: 2a7dc54e5bf6793b9204d89ef6b9a946297066fb
parent: 198beb0d45ef9ae2be1f4a6d35446a2822c13d76 (diff)
download: rust-libc-af330add38957e94275124d6f8b40da70bdea02f.tar.gz
2 files changed, 46 insertions, 0 deletions
diff --git a/.github/workflows/bors.yml b/.github/workflows/bors.yml
index ab08c167f1..b614983339 100644
--- a/.github/workflows/bors.yml
+++ b/.github/workflows/bors.yml
@@ -6,8 +6,13 @@ on:
       - auto-libc
       - try
 
+permissions: {}
 jobs:
   docker_linux_tier1:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: Docker Linux Tier1
     runs-on: ubuntu-22.04
     strategy:
@@ -28,6 +33,10 @@ jobs:
         run: LIBC_CI=1 sh ./ci/run-docker.sh ${{ matrix.target }}
 
   macos:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: macOS
     runs-on: macos-12
     strategy:
@@ -47,6 +56,10 @@ jobs:
         run: LIBC_CI=1 sh ./ci/run.sh ${{ matrix.target }}
 
   windows:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: Windows
     runs-on: windows-2022
     env:
@@ -83,6 +96,10 @@ jobs:
         shell: bash
 
   style_check:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: Style check
     runs-on: ubuntu-22.04
     steps:
@@ -96,6 +113,10 @@ jobs:
         run: sh ci/style.sh
 
   docker_linux_tier2:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: Docker Linux Tier2
     needs: [docker_linux_tier1, style_check]
     runs-on: ubuntu-22.04
@@ -154,6 +175,10 @@ jobs:
   # These targets are tier 3 or otherwise need to have CI build std via -Zbuild-std.
   # Because of this, only the nightly compiler can be used on these targets.
   docker_linux_build_std:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     if: ${{ false }} # This is currently broken
     name: Docker Linux Build-Std Targets
     needs: [docker_linux_tier1, style_check]
@@ -177,6 +202,10 @@ jobs:
 
   # devkitpro's pacman needs to be connected from Docker.
   docker_switch:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: Docker Switch
     needs: [docker_linux_tier1, style_check]
     runs-on: ubuntu-22.04
@@ -191,6 +220,10 @@ jobs:
         run: LIBC_CI=1 sh ./ci/run-docker.sh switch
 
   build_channels_linux:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: Build Channels Linux
     needs: docker_linux_tier2
     runs-on: ubuntu-22.04
@@ -221,6 +254,9 @@ jobs:
         run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh
 
   build_channels_macos:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
     name: Build Channels macOS
     needs: macos
     runs-on: macos-12
@@ -251,6 +287,9 @@ jobs:
         run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh
 
   build_channels_windows:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+
     name: Build Channels Windows
     runs-on: windows-2022
     env:
@@ -301,6 +340,10 @@ jobs:
         run: sh ci/semver.sh macos
 
   docs:
+    permissions:
+      actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
+      contents: read # to fetch code (actions/checkout)
+
     name: Generate documentation
     runs-on: ubuntu-22.04
     needs: docker_linux_tier2
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9cb5ffdc11..635d6121e6 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   docker_linux_tier1:
     name: Docker Linux Tier1
author	sashashura <aleksandrosansan@gmail.com>	2022-10-04 08:58:26 +0300
committer	sashashura <aleksandrosansan@gmail.com>	2022-10-04 08:58:26 +0300
commit	af330add38957e94275124d6f8b40da70bdea02f (patch)
tree	2a7dc54e5bf6793b9204d89ef6b9a946297066fb
parent	198beb0d45ef9ae2be1f4a6d35446a2822c13d76 (diff)
download	rust-libc-af330add38957e94275124d6f8b40da70bdea02f.tar.gz