Scorecard: Delcare default permissions as read only except CodeQL.

ossrs · Jan 10, 2023 · 4ae67f1 · 4ae67f1
1 parent d340856
commit 4ae67f1
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 1 deletion.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -3,6 +3,9 @@ name: "CodeQL"
 # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
 on: [push, pull_request]
 
+# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions: write-all
+
 jobs:
   analyze:
     name: actions-codeql-analyze

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
     tags:
       - v6*
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   envs:
     name: envs

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -2,7 +2,8 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
-name: Scorecard supply-chain security
+name: Scorecard
+
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
@@ -70,3 +71,8 @@ jobs:
         uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
         with:
           sarif_file: results.sarif
+
+      # Delete the SARIF file.
+      - uses: geekyeggo/delete-artifact@v2
+        with:
+          name: SARIF file
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -3,6 +3,9 @@ name: "Test"
 # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
 on: [push, pull_request]
 
+# Declare default permissions as read only.
+permissions: read-all
+
 # The dependency graph:
 # test(6m)
 # multiple-arch-armv7(13m)