chore: Set permissions for GitHub actions

[naveensrinivasan]

Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

• Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests

Signed-off-by: naveen [email protected]

[martin-g]

even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

But if an attacker compromises the workflow then (s)he will be able to change the permissions too, no ?

[pcarruscag]

@naveensrinivasan Thank you for the contribution, please reply to Martin's questions so we can get this moving.

[martin-g]

@naveensrinivasan Could you please comment on https://github.com/su2code/SU2/pull/1661#issuecomment-1149557138 too? Thanks!

[naveensrinivasan]

even if the attackers will succeed in compromising your workflow, they won’t be able to do much.

But if an attacker compromises the workflow then (s)he will be able to change the permissions too, no ?

Yes, AFAIK. That is why it is recommended to Pin by SHA

[martin-g]

Yes, AFAIK. That is why it is recommended to Pin by SHA

OK! I see your point here! Indeed the reduced permissions would help if a malicious action is executed!

[naveensrinivasan]

Yes, AFAIK. That is why it is recommended to Pin by SHA

OK! I see your point here! Indeed the reduced permissions would help if a malicious action is executed!

👍

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this is still a relevant issue please comment on it to restart the discussion. Thank you for your contributions.