From 595544976507f2f9d0bb8cc88020337f66080734 Mon Sep 17 00:00:00 2001
From: Jan David <jdno@jdno.dev>
Date: Tue, 9 Jul 2024 13:24:08 +0200
Subject: [PATCH] Grant GitHub Actions workflows access to OIDC token

In #3909, new steps were added to the GitHub Actions workflows that
upload the build artifacts to a new S3 bucket. Authentication is done
using short-lived tokens that are provisioned using OIDC. This scheme
requires additional permissions[^1], which have been granted to the
workflows.

[^1]: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
---
 .github/workflows/ci.yaml                     | 24 +++++++++++++++++++
 .../linux-builds-template.yaml                |  3 +++
 .../macos-builds-template.yaml                |  3 +++
 .../windows-builds-template.yaml              |  3 +++
 4 files changed, 33 insertions(+)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 7022384cc3..e67247f477 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -24,6 +24,9 @@ jobs:
     if: ${{ contains('["pull_request", "merge_group"]', github.event_name) }} # skip-master skip-stable
     env:
       RUSTFLAGS: -Ctarget-feature=+crt-static
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -178,6 +181,9 @@ jobs:
     if: ${{ (github.event_name == 'push' && github.ref_name == 'master') || github.event_name == 'schedule' }} # skip-pr skip-stable
     env:
       RUSTFLAGS: -Ctarget-feature=+crt-static
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -332,6 +338,9 @@ jobs:
     if: ${{ github.event_name == 'push' && github.ref_name == 'stable' }} # skip-pr skip-master
     env:
       RUSTFLAGS: -Ctarget-feature=+crt-static
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -490,6 +499,9 @@ jobs:
   build-linux-pr: # job-name skip-master skip-stable
     runs-on: ubuntu-latest
     if: ${{ contains('["pull_request", "merge_group"]', github.event_name) }} # skip-master skip-stable
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -646,6 +658,9 @@ jobs:
   build-linux-master: # job-name skip-pr skip-stable
     runs-on: ubuntu-latest
     if: ${{ (github.event_name == 'push' && github.ref_name == 'master') || github.event_name == 'schedule' }} # skip-pr skip-stable
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -807,6 +822,9 @@ jobs:
   build-linux-stable: # job-name skip-master skip-pr
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'push' && github.ref_name == 'stable' }} # skip-pr skip-master
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -990,6 +1008,9 @@ jobs:
     runs-on: macos-13 # skip-aarch64
     env: # skip-aarch64
       MACOSX_DEPLOYMENT_TARGET: 10.12 # skip-aarch64
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       matrix:
         mode:
@@ -1118,6 +1139,9 @@ jobs:
     runs-on: macos-latest # skip-x86_64
     env: # skip-x86_64
       MACOSX_DEPLOYMENT_TARGET: 11.0 # skip-x86_64
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       matrix:
         mode:
diff --git a/ci/actions-templates/linux-builds-template.yaml b/ci/actions-templates/linux-builds-template.yaml
index 96f249e6f5..83a7480067 100644
--- a/ci/actions-templates/linux-builds-template.yaml
+++ b/ci/actions-templates/linux-builds-template.yaml
@@ -9,6 +9,9 @@ jobs: # skip-master skip-pr skip-stable
     if: ${{ contains('["pull_request", "merge_group"]', github.event_name) }} # skip-master skip-stable
     if: ${{ (github.event_name == 'push' && github.ref_name == 'master') || github.event_name == 'schedule' }} # skip-pr skip-stable
     if: ${{ github.event_name == 'push' && github.ref_name == 'stable' }} # skip-pr skip-master
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/ci/actions-templates/macos-builds-template.yaml b/ci/actions-templates/macos-builds-template.yaml
index f979156757..d59d91cb25 100644
--- a/ci/actions-templates/macos-builds-template.yaml
+++ b/ci/actions-templates/macos-builds-template.yaml
@@ -10,6 +10,9 @@ jobs: # skip-x86_64 skip-aarch64
     runs-on: macos-13 # skip-aarch64
     env: # skip-aarch64
       MACOSX_DEPLOYMENT_TARGET: 10.12 # skip-aarch64
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       matrix:
         mode:
diff --git a/ci/actions-templates/windows-builds-template.yaml b/ci/actions-templates/windows-builds-template.yaml
index fd808b73b2..cc13e8490d 100644
--- a/ci/actions-templates/windows-builds-template.yaml
+++ b/ci/actions-templates/windows-builds-template.yaml
@@ -11,6 +11,9 @@ jobs: # skip-master skip-pr skip-stable
     if: ${{ github.event_name == 'push' && github.ref_name == 'stable' }} # skip-pr skip-master
     env:
       RUSTFLAGS: -Ctarget-feature=+crt-static
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       fail-fast: false
       matrix: