From 2672fad90a23ad900b459facdc2e88261af6704c Mon Sep 17 00:00:00 2001
From: naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Sun, 1 May 2022 01:00:30 +0000
Subject: [PATCH] ci: Set permissions for GitHub actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 Restrict the GitHub token permissions only to the required ones; this way,
 even if the attackers will succeed in compromising your workflow,
 they won’t be able to do much.

- Included permissions for the action.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions

https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 .github/workflows/build-multi-stage.yaml      | 3 +++
 .github/workflows/codespell.yaml              | 3 +++
 .github/workflows/commitlint.yaml             | 3 +++
 .github/workflows/go-test.yaml                | 3 +++
 .github/workflows/golangci-lint.yaml          | 3 +++
 .github/workflows/lint-extras.yaml            | 3 +++
 .github/workflows/mod-check.yaml              | 3 +++
 .github/workflows/publish-artifacts.yaml      | 3 +++
 .github/workflows/{retest.yml => retest.yaml} | 4 ++++
 .github/workflows/stale.yaml                  | 6 ++++++
 .github/workflows/test-retest-action.yaml     | 3 +++
 11 files changed, 37 insertions(+)
 rename .github/workflows/{retest.yml => retest.yaml} (93%)

diff --git a/.github/workflows/build-multi-stage.yaml b/.github/workflows/build-multi-stage.yaml
index c0e83a07c..9b312a296 100644
--- a/.github/workflows/build-multi-stage.yaml
+++ b/.github/workflows/build-multi-stage.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
+
 jobs:
   codespell:
     name: multi-arch-build
diff --git a/.github/workflows/codespell.yaml b/.github/workflows/codespell.yaml
index 8dd40f6c2..29e4711d9 100644
--- a/.github/workflows/codespell.yaml
+++ b/.github/workflows/codespell.yaml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
+
 jobs:
   codespell:
     name: codespell
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index 60aa16efe..05338adac 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
+
 jobs:
   commitlint:
     name: commitlint
diff --git a/.github/workflows/go-test.yaml b/.github/workflows/go-test.yaml
index dbd97026c..17c3a685e 100644
--- a/.github/workflows/go-test.yaml
+++ b/.github/workflows/go-test.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
+
 jobs:
   go-test:
     name: go-test
diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml
index bf7c5ee16..37ac0b376 100644
--- a/.github/workflows/golangci-lint.yaml
+++ b/.github/workflows/golangci-lint.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
+
 jobs:
   golangci-lint:
     name: golangci-lint
diff --git a/.github/workflows/lint-extras.yaml b/.github/workflows/lint-extras.yaml
index ee6b647fd..23afffa16 100644
--- a/.github/workflows/lint-extras.yaml
+++ b/.github/workflows/lint-extras.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
+
 jobs:
   lint-extras:
     name: lint-extras
diff --git a/.github/workflows/mod-check.yaml b/.github/workflows/mod-check.yaml
index d6e5b1a74..10e22d783 100644
--- a/.github/workflows/mod-check.yaml
+++ b/.github/workflows/mod-check.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches:
       - '*'
+permissions:
+  contents: read
+
 jobs:
   mod-check:
     name: mod-check
diff --git a/.github/workflows/publish-artifacts.yaml b/.github/workflows/publish-artifacts.yaml
index bb31d2900..b5a53c4b1 100644
--- a/.github/workflows/publish-artifacts.yaml
+++ b/.github/workflows/publish-artifacts.yaml
@@ -9,6 +9,9 @@ on:
       - devel
       # Push events to branches matching refs/heads/release-v*
       - 'release-v*'
+permissions:
+  contents: read
+
 jobs:
   push:
     name: Publish artifacts
diff --git a/.github/workflows/retest.yml b/.github/workflows/retest.yaml
similarity index 93%
rename from .github/workflows/retest.yml
rename to .github/workflows/retest.yaml
index 0ff69338b..3299e0dcb 100644
--- a/.github/workflows/retest.yml
+++ b/.github/workflows/retest.yaml
@@ -5,6 +5,10 @@ on:
   schedule:
     # Run the retest action every 30 minutes
     - cron: "30 * * * *"
+
+permissions:
+  contents: read
+
 jobs:
   retest:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
index 7fbfaa013..07c8e7ae2 100644
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -7,8 +7,14 @@ on:
     # Run the stalebot every day at 9pm UTC
     - cron: "00 21 * * *"
 # yamllint disable rule:line-length
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-18.04
     if: github.repository == 'ceph/ceph-csi'
     steps:
diff --git a/.github/workflows/test-retest-action.yaml b/.github/workflows/test-retest-action.yaml
index 6adba100e..3d732370d 100644
--- a/.github/workflows/test-retest-action.yaml
+++ b/.github/workflows/test-retest-action.yaml
@@ -5,6 +5,9 @@ on:
   pull_request:
     branches: [devel]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest