Set proper permissions for github actions (#17809)

* set proper permissions for github actions * restrict some jobs that don't need any permission * use the commit hashes of the versions for external actions * Only allow read access for checkout action
author: Stefan Giehl <stefan@matomo.org> 2021-08-04 10:44:00 +0300
committer: GitHub <noreply@github.com> 2021-08-04 10:44:00 +0300
commit: 4961914bebe1100eaabcf39a19b88006341bb086 (patch)
tree: b917e95f7a4af769f646264a351c84f45ccd4556 /.github
parent: 9b1ca4d0fbc5d9fe4be6c9aea505875d86061dd1 (diff)
7 files changed, 96 insertions, 2 deletions
diff --git a/.github/workflows/buildtrackerjs.yml b/.github/workflows/buildtrackerjs.yml
index a297c4e4e5..e240331759 100644
--- a/.github/workflows/buildtrackerjs.yml
+++ b/.github/workflows/buildtrackerjs.yml
@@ -4,6 +4,18 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  actions: read
+  checks: none
+  contents: write
+  deployments: none
+  issues: read
+  packages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -38,10 +50,14 @@ jobs:
         echo ::set-output name=branch::$REF
       if: github.event.comment.body == 'build js'
     - uses: actions/setup-java@v1
+      permissions:
+        contents: none
       with:
         java-version: 9
       if: steps.vars.outputs.branch != ''
     - uses: actions/checkout@v2
+      permissions:
+        contents: read
       with:
         ref: ${{ steps.vars.outputs.branch }}
         lfs: false
diff --git a/.github/workflows/follow-up-reviews.yml b/.github/workflows/follow-up-reviews.yml
index a389f627e1..55f1699820 100644
--- a/.github/workflows/follow-up-reviews.yml
+++ b/.github/workflows/follow-up-reviews.yml
@@ -3,6 +3,18 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  actions: read
+  checks: none
+  contents: read
+  deployments: none
+  issues: write
+  packages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/inactive-prs-closing-message.yaml b/.github/workflows/inactive-prs-closing-message.yaml
index 9f6fe7c8e4..ea76cb6fb9 100644
--- a/.github/workflows/inactive-prs-closing-message.yaml
+++ b/.github/workflows/inactive-prs-closing-message.yaml
@@ -3,6 +3,18 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  actions: read
+  checks: none
+  contents: read
+  deployments: none
+  issues: write
+  packages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/inactive-prs.yaml b/.github/workflows/inactive-prs.yaml
index 747291a163..00b021d22a 100644
--- a/.github/workflows/inactive-prs.yaml
+++ b/.github/workflows/inactive-prs.yaml
@@ -3,6 +3,18 @@ on:
   schedule:
     - cron: '30 1 * * *'
 
+permissions:
+  actions: read
+  checks: none
+  contents: read
+  deployments: none
+  issues: write
+  packages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   stale:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/phpcs.yml b/.github/workflows/phpcs.yml
index 169942b071..126a30eff9 100644
--- a/.github/workflows/phpcs.yml
+++ b/.github/workflows/phpcs.yml
@@ -2,6 +2,18 @@ name: PHPCS check
 
 on: pull_request
 
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  deployments: none
+  issues: read
+  packages: none
+  pull-requests: read
+  repository-projects: none
+  security-events: none
+  statuses: read
+
 jobs:
   phpcs:
     name: PHPCS
@@ -11,7 +23,7 @@ jobs:
       - name: Install dependencies
         run: composer install --dev --prefer-dist --no-progress --no-suggest
       - name: PHPCS check
-        uses: chekalsky/phpcs-action@v1
+        uses: chekalsky/phpcs-action@e269c2f264f400adcda7c6b24c8550302350d495
         with:
           phpcs_bin_path: './vendor/bin/phpcs'
           enable_warnings: true
 \ No newline at end of file
diff --git a/.github/workflows/submodules.yml b/.github/workflows/submodules.yml
index 47cfa12726..b4daa3b7e3 100644
--- a/.github/workflows/submodules.yml
+++ b/.github/workflows/submodules.yml
@@ -5,6 +5,18 @@ on:
   schedule:
   - cron: "0 2 * * 5"
 
+permissions:
+  actions: read
+  checks: none
+  contents: write
+  deployments: none
+  issues: read
+  packages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   build:
 
@@ -12,6 +24,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      permissions:
+        contents: read
       with:
         ref: '4.x-dev'
         lfs: false
diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml
index 7e03f5de73..d2d2edd5bb 100644
--- a/.github/workflows/translations.yml
+++ b/.github/workflows/translations.yml
@@ -5,6 +5,18 @@ on:
   schedule:
   - cron: "0 2 * * 6"
 
+permissions:
+  actions: read
+  checks: none
+  contents: write
+  deployments: none
+  issues: read
+  packages: none
+  pull-requests: write
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   build:
 
@@ -22,10 +34,14 @@ jobs:
 
 
     steps:
-    - uses: shivammathur/setup-php@v2
+    - uses: shivammathur/setup-php@36cb9fb0fccf887130d6c5a3d40a3b3479310026
+      permissions:
+        contents: none
       with:
         php-version: '7.3'
     - uses: actions/checkout@v2
+      permissions:
+        contents: read
       with:
         ref: '4.x-dev'
         lfs: false
author	Stefan Giehl <stefan@matomo.org>	2021-08-04 10:44:00 +0300
committer	GitHub <noreply@github.com>	2021-08-04 10:44:00 +0300
commit	4961914bebe1100eaabcf39a19b88006341bb086 (patch)
tree	b917e95f7a4af769f646264a351c84f45ccd4556 /.github
parent	9b1ca4d0fbc5d9fe4be6c9aea505875d86061dd1 (diff)