From 8025b9c775086402302fe6cdfc7801a9ddf02ead Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Sun, 29 Oct 2023 12:03:04 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/build.yaml            | 3 +++
 .github/workflows/codeql-analysis.yml   | 7 +++++++
 .github/workflows/docs.yaml             | 5 +++++
 .github/workflows/goreleaser-check.yaml | 3 +++
 .github/workflows/linting.yaml          | 6 ++++++
 .github/workflows/readme.yaml           | 5 +++++
 .github/workflows/test-install.yaml     | 3 +++
 .github/workflows/test.yaml             | 3 +++
 8 files changed, 35 insertions(+)
 mode change 100755 => 100644 .github/workflows/build.yaml
 mode change 100755 => 100644 .github/workflows/docs.yaml
 mode change 100755 => 100644 .github/workflows/readme.yaml
 mode change 100755 => 100644 .github/workflows/test.yaml

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
old mode 100755
new mode 100644
index 5035413c..118c5911
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -1,5 +1,8 @@
 name: Building
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 9b96a1bc..c3f70cc4 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,8 +9,15 @@ on:
   schedule:
     - cron: '10 6 * * 2'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     name: Analyze
     runs-on: ubuntu-latest
 
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
old mode 100755
new mode 100644
index 2466fd06..b35e0e04
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -5,8 +5,13 @@ on:
 
 name: Generate docs
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for Git to git push
     name: Release
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/goreleaser-check.yaml b/.github/workflows/goreleaser-check.yaml
index c0e7cc79..ca7c680e 100644
--- a/.github/workflows/goreleaser-check.yaml
+++ b/.github/workflows/goreleaser-check.yaml
@@ -4,6 +4,9 @@ on:
     branches:
       - 'release-please--**'
 
+permissions:
+  contents: read
+
 jobs:
   verify-goreleaser:
     name: Check GoReleaser config
diff --git a/.github/workflows/linting.yaml b/.github/workflows/linting.yaml
index be1a571e..ef3775f8 100644
--- a/.github/workflows/linting.yaml
+++ b/.github/workflows/linting.yaml
@@ -1,7 +1,13 @@
 name: reviewdog
 on: [pull_request]
+permissions:
+  contents: read
+
 jobs:
   golangci-lint:
+    permissions:
+      checks: write  # for reviewdog/action-golangci-lint to report issues using checks
+      contents: read  # for actions/checkout to fetch code
     name: golangci-lint
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/readme.yaml b/.github/workflows/readme.yaml
old mode 100755
new mode 100644
index 04e6814b..4595d0b4
--- a/.github/workflows/readme.yaml
+++ b/.github/workflows/readme.yaml
@@ -5,8 +5,13 @@ on:
 
 name: Generate readme
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: write  # for Git to git push
     name: Release
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/test-install.yaml b/.github/workflows/test-install.yaml
index 3a81c90c..a7c5d170 100644
--- a/.github/workflows/test-install.yaml
+++ b/.github/workflows/test-install.yaml
@@ -7,6 +7,9 @@ on:
       - .github/workflows/test-install.yaml
       - install.sh
 
+permissions:
+  contents: read
+
 jobs:
   test-install-sh:
     name: Test install.sh
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
old mode 100755
new mode 100644
index 42d796e9..fbc6c127
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,5 +1,8 @@
 name: Testing
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Test