GitHub Workflows security hardening (#11323)

Roll forward of #10843 after accidental direct merge Closes #11323 COPYBARA_INTEGRATE_REVIEW=https://github.com/protocolbuffers/protobuf/pull/11323 from mkruskal-google:restore-hardening ef7c9fd067 PiperOrigin-RevId: 495885677
2 years ago · e3c346fdd8
parent 7787f3eafb
commit e3c346fdd8
5 changed files with 15 additions and 0 deletions
--- a/.github/workflows/codespell.yml
+++ b/.github/workflows/codespell.yml
@ -3,6 +3,8 @@
 # https://github.com/codespell-project/codespell
 name: codespell
 on: [push, pull_request]
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
 jobs:
  codespell:
    name: Check for spelling errors
--- a/.github/workflows/generate_files.yml
+++ b/.github/workflows/generate_files.yml
@ -9,8 +9,12 @@ on:
      # to exclude it.
      - '!21.x'

+permissions: {}
 jobs:
  cmake:
+    permissions:
+      contents: write  #  for git push
+
    if: github.repository == 'protocolbuffers/protobuf'
    runs-on: ubuntu-latest

--- a/.github/workflows/objc_cocoapods.yml
+++ b/.github/workflows/objc_cocoapods.yml
@ -18,6 +18,9 @@ on:
    - '!objectivec/ProtocolBuffers_*.xcodeproj/**'
    - '!objectivec/Tests/**'

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  pod-lib-lint:
    runs-on: macos-latest
--- a/.github/workflows/php-ext.yml
+++ b/.github/workflows/php-ext.yml
@ -4,6 +4,9 @@ on:
  - push
  - pull_request

+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
  build-php:
    name: Build PHP extension
--- a/.github/workflows/update_php_repo.yml
+++ b/.github/workflows/update_php_repo.yml
@ -6,6 +6,9 @@ on:
      - v[0-9]+.[0-9]+
      - v[0-9]+.[0-9]+-rc[0-9]+

+permissions:
+  contents: read  #  to fetch code in 'Clone protobuf' (actions/checkout)
+
 jobs:
  update-repo:
    name: Update PHP Repo