Set the token permissions to contents: read
This fixes a number of code scanning alerts such as
https://github.com/liblouis/liblouis/security/code-scanning/46.
The fix was provided by https://app.stepsecurity.io/
Two alerts were not fixed as the stepsecurity tool did not provide the
usual fix by setting the token permission. Instead it suggested to use
a "Harden Runner". ATM I do not understand the implications of that so
I postponed this.
So for mingw.yml and for emscripten.yml the alerts remain.
diff --git a/.github/workflows/check-format.yml b/.github/workflows/check-format.yml
index fdbf01c..90a31dd 100644
--- a/.github/workflows/check-format.yml
+++ b/.github/workflows/check-format.yml
@@ -10,6 +10,9 @@
pull_request:
branches: [ master ]
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
check-format:
name: Check the code formatting
diff --git a/.github/workflows/check-table-license.yml b/.github/workflows/check-table-license.yml
index 14a7447..2610aa1 100644
--- a/.github/workflows/check-table-license.yml
+++ b/.github/workflows/check-table-license.yml
@@ -10,6 +10,9 @@
pull_request:
branches: [ master ]
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
check-licenses:
name: Check the license of the tables
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 47539d1..24bde9b 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -8,6 +8,10 @@
# servers.
name: CIFuzz
on: [pull_request]
+
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
Fuzzing:
runs-on: ubuntu-latest
diff --git a/.github/workflows/fuzzing.yml b/.github/workflows/fuzzing.yml
index 4492e28..44982e7 100644
--- a/.github/workflows/fuzzing.yml
+++ b/.github/workflows/fuzzing.yml
@@ -5,6 +5,9 @@
schedule:
- cron: "0 4 * * 1"
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
build:
name: Build with ${{ matrix.ucs }}
diff --git a/.github/workflows/macro.yml b/.github/workflows/macro.yml
index f87928d..fb9db13 100644
--- a/.github/workflows/macro.yml
+++ b/.github/workflows/macro.yml
@@ -10,6 +10,9 @@
pull_request:
branches: [ master ]
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
build:
name: Test macro feature
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index cd3e521..b1967ea 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -10,6 +10,9 @@
pull_request:
branches: [ master ]
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
build:
name: Build with ${{ matrix.ucs }}
diff --git a/.github/workflows/metadata.yml b/.github/workflows/metadata.yml
index a55ad9f..fc14251 100644
--- a/.github/workflows/metadata.yml
+++ b/.github/workflows/metadata.yml
@@ -9,6 +9,9 @@
pull_request:
branches: [ master ]
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
metadata-test:
name: Build and check the metadta
diff --git a/.github/workflows/sanitizer.yml b/.github/workflows/sanitizer.yml
index 868ecf3..0554468 100644
--- a/.github/workflows/sanitizer.yml
+++ b/.github/workflows/sanitizer.yml
@@ -14,6 +14,9 @@
- '**.h'
- '**.c'
+permissions: # added using https://github.com/step-security/secure-workflows
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest