fix(ci): top level permissions, env hardening

2026-01-26 11:23:57 +00:00 · 2025-01-28 14:51:13 +02:00
parent cdcec7d39d
commit 4855c8948b
12 changed files with 94 additions and 3 deletions
--- a/.github/workflows/composer-install.yml
+++ b/.github/workflows/composer-install.yml
@@ -1,6 +1,9 @@
 ---
 name: Run Composer Install

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  workflow_dispatch:
  pull_request:
@@ -8,13 +11,18 @@ on:
      - "composer.json"
      - "composer.lock"

+permissions:
+  contents: write
+  packages: read
+  statuses: write
+
 jobs:
  ComposerInstall:
    runs-on: ubuntu-latest

    permissions:
      contents: write
-      pacakges: read
+      packages: read
      statuses: write

    strategy:
--- a/.github/workflows/compress-images.yml
+++ b/.github/workflows/compress-images.yml
@@ -3,11 +3,19 @@
 # Open a Pull Request if any images can be compressed.
 name: Compress Images on Demand

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  workflow_dispatch:
  schedule:
    - cron: "00 23 * * 0"

+permissions:
+  contents: write
+  statuses: write
+  pull-requests: write
+
 jobs:
  CompressOnDemandOrSchedule:
    name: calibreapp/image-actions
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -10,8 +10,16 @@
 # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
 name: "Dependency Review"

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on: [pull_request]

+permissions:
+  contents: read
+  packages: read
+  statuses: read
+
 jobs:
  dependency-review:
    runs-on: ubuntu-latest
--- a/.github/workflows/laravel-phpunit.yml
+++ b/.github/workflows/laravel-phpunit.yml
@@ -1,12 +1,20 @@
 ---
 name: Laravel Setup and Composer test

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

+permissions:
+  contents: write
+  packages: read
+  statuses: write
+
 jobs:
  laravel-tests:
    runs-on: ubuntu-latest
--- a/.github/workflows/pr-compress-images.yml
+++ b/.github/workflows/pr-compress-images.yml
@@ -1,6 +1,9 @@
 ---
 name: Compress Images

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  pull_request:
    # Run Image Actions when JPG, JPEG, PNG or WebP files are added or changed.
@@ -11,6 +14,12 @@ on:
      - "**.png"
      - "**.webp"

+permissions:
+  contents: write
+  packages: read
+  statuses: write
+  pull-requests: write
+
 jobs:
  CompressInPR:
    # Only run on Pull Requests within the same repository, and not from forks.
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -13,6 +13,7 @@ name: Lint Code Base

 env:
  MAIN_BRANCH: main
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false

 #############################
 # Start the job on all push #
@@ -24,6 +25,11 @@ on:
  pull_request:
    branches: [master, main]

+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 ###############
 # Set the Job #
 ###############
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -1,9 +1,17 @@
 ---
 name: Release Drafter

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  workflow_call:

+permissions:
+  contents: write
+  statuses: write
+  packages: read
+
 jobs:
  update_release_draft:
    name: ✏️ Draft release
--- a/.github/workflows/release-monthly.yaml
+++ b/.github/workflows/release-monthly.yaml
@@ -2,11 +2,19 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: "Release"

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 1 * *" # 1st of every month at midnight

+permissions:
+  contents: write
+  packages: read
+  statuses: read
+
 jobs:
  release:
    name: Release
--- a/.github/workflows/reviewdog-linters.yml
+++ b/.github/workflows/reviewdog-linters.yml
@@ -3,6 +3,14 @@ name: Reviewdog Linters

 on: [pull_request]

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
+permissions:
+  contents: read
+  packages: read
+  statuses: write
+
 jobs:
  linters:
    name: Linters
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -1,6 +1,9 @@
 ---
 name: Stale

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  schedule:
    - cron: "0 8 * * *"
@@ -8,9 +11,11 @@ on:
  workflow_dispatch:

 permissions:
-  contents: read
-  packages: read
+  contents: write # only for delete-branch option
+  issues: write
+  pull-requests: write
  statuses: read
+  packages: read

 jobs:
  stale:
--- a/.github/workflows/sync-labels-to-own-projects.yml
+++ b/.github/workflows/sync-labels-to-own-projects.yml
@@ -1,6 +1,9 @@
 ---
 name: Sync labels to other repositories

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  push:
    branches:
@@ -12,6 +15,10 @@ on:
  schedule:
    - cron: "0 0 * * *" # Every day at midnight

+permissions:
+  contents: write
+  statuses: write
+
 jobs:
  sync-labels:
    runs-on: ubuntu-latest
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -2,6 +2,9 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Sync labels

+env:
+  ACTIONS_ALLOW_UNSECURE_COMMAND=false
+
 on:
  push:
    branches:
@@ -13,6 +16,11 @@ on:
  workflow_call:
  workflow_dispatch:

+permissions:
+  issues: write
+  contents: read
+  statuses: read
+
 jobs:
  labels:
    name: ♻️ Sync labels