CI-hardening: move permissions to the job level

Instead of giving all jobs write permissions, default to no permissions and enable them on a per-job basis. This does not change anything for us, but avoids accidental write permissions if a new job gets added without considering that it inherits the top level permissions, even if it doesn't need them. See https://woodruffw.github.io/zizmor/audits/#excessive-permissions
msys2 · Dec 6, 2024 · 5bf958f · 5bf958f
1 parent 7eed3d8
commit 5bf958f
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,14 +19,16 @@ on:
 env:
   PYTHONUNBUFFERED: 1
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
 
   schedule:
     runs-on: ubuntu-22.04
 
+    permissions:
+      contents: write
+
     concurrency: autobuild-maint
 
     outputs:
@@ -96,6 +98,9 @@ jobs:
     timeout-minutes: 4320
     needs: schedule
 
+    permissions:
+      contents: write
+
     concurrency: autobuild-build-${{ matrix.name }}
 
     if: ${{ needs.schedule.outputs.build-plan != '[]' }}

diff --git a/.github/workflows/maint.yml b/.github/workflows/maint.yml
@@ -19,8 +19,7 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: write
+permissions: {}
 
 concurrency: autobuild-maint
 
@@ -29,6 +28,9 @@ jobs:
   schedule:
     runs-on: ubuntu-22.04
 
+    permissions:
+      contents: write
+
     steps:
 
     - name: Dump inputs