From 0f3e8030575088775b0793f07eb2b6dd1d31b75e Mon Sep 17 00:00:00 2001 From: Sourabh Mehta <73165318+soumeh01@users.noreply.github.com> Date: Tue, 20 Jan 2026 17:06:52 +0100 Subject: [PATCH] [Security] Updated token permissions (#1389) --- .github/workflows/buildmgr.yml | 8 ++++++-- .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/global.yaml | 1 + .github/workflows/markdown.yml | 8 ++++++++ .github/workflows/nightly.yml | 4 +++- .github/workflows/packchk.yml | 7 +++++++ .github/workflows/packgen.yml | 6 +++++- .github/workflows/projmgr.yml | 6 +++++- .github/workflows/scorecard.yml | 9 ++------- .github/workflows/svdconv.yml | 5 +++++ .github/workflows/test_libs.yml | 5 +++-- .github/workflows/unit_test_results.yml | 5 +++-- 12 files changed, 51 insertions(+), 16 deletions(-) diff --git a/.github/workflows/buildmgr.yml b/.github/workflows/buildmgr.yml index b0bffa1d1..90809aeb9 100644 --- a/.github/workflows/buildmgr.yml +++ b/.github/workflows/buildmgr.yml @@ -35,6 +35,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: setup: uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main @@ -215,6 +218,8 @@ jobs: # Debian package generation in ubuntu 22.04 produces incompatible metadata runs-on: ubuntu-22.04 timeout-minutes: 15 + permissions: + contents: write steps: - name: Harden Runner if: ${{ !github.event.repository.private }} @@ -506,8 +511,7 @@ jobs: AC6_TOOLCHAIN_6_18_0: ${{ github.workspace }}/${{ matrix.toolchain_root }} runs-on: ubuntu-22.04 timeout-minutes: 15 - strategy: - fail-fast: true + steps: - name: Harden Runner if: ${{ !github.event.repository.private }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a24973633..9a13e72eb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,6 +19,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/global.yaml b/.github/workflows/global.yaml index 9a5c35999..85788bb68 100644 --- a/.github/workflows/global.yaml +++ b/.github/workflows/global.yaml @@ -3,6 +3,7 @@ on: pull_request: release: types: [ published ] + permissions: contents: read diff --git a/.github/workflows/markdown.yml b/.github/workflows/markdown.yml index 0cd2ef959..e183e701e 100644 --- a/.github/workflows/markdown.yml +++ b/.github/workflows/markdown.yml @@ -6,6 +6,14 @@ on: - '.github/markdownlint.json' - '.github/markdownlint.jsonc' - '**/*.md' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + jobs: linter: name: Lint markdown files diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 9c332c757..9c6738f46 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -1,4 +1,3 @@ - name: nightly on: @@ -6,6 +5,9 @@ on: schedule: - cron: '0 0 * * *' +permissions: + contents: read + jobs: buildmgr: if: github.repository == 'Open-CMSIS-Pack/devtools' diff --git a/.github/workflows/packchk.yml b/.github/workflows/packchk.yml index fa28867bb..e98ae3eb5 100644 --- a/.github/workflows/packchk.yml +++ b/.github/workflows/packchk.yml @@ -40,6 +40,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: setup: uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main @@ -60,6 +63,8 @@ jobs: strategy: fail-fast: true matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }} + permissions: + contents: write steps: - name: Harden Runner if: ${{ !github.event.repository.private }} @@ -324,6 +329,8 @@ jobs: if-no-files-found: error release: + permissions: + contents: write if: | github.event_name == 'release' && startsWith(github.ref, 'refs/tags/tools/packchk/') diff --git a/.github/workflows/packgen.yml b/.github/workflows/packgen.yml index adf964301..2e86b4570 100644 --- a/.github/workflows/packgen.yml +++ b/.github/workflows/packgen.yml @@ -35,6 +35,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: setup: uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main @@ -114,7 +117,8 @@ jobs: needs: [ build, unittest ] runs-on: ubuntu-22.04 timeout-minutes: 15 - + permissions: + contents: write steps: - name: Checkout devtools uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/projmgr.yml b/.github/workflows/projmgr.yml index 2b12f7b31..b95922bba 100644 --- a/.github/workflows/projmgr.yml +++ b/.github/workflows/projmgr.yml @@ -1,4 +1,3 @@ - name: projmgr on: workflow_call: @@ -40,6 +39,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: setup: uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main @@ -204,6 +206,8 @@ jobs: needs: [ build, build-swig, unittest, coverage ] runs-on: ubuntu-22.04 timeout-minutes: 15 + permissions: + contents: write steps: - name: Checkout devtools diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 464d7be73..9e7cda514 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -11,8 +11,8 @@ on: branches: [ "main" ] workflow_dispatch: -# Declare default permissions as read only. -permissions: read-all +permissions: + contents: read jobs: analysis: @@ -20,13 +20,8 @@ jobs: name: Scorecard analysis runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. security-events: write - # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: - name: Harden Runner diff --git a/.github/workflows/svdconv.yml b/.github/workflows/svdconv.yml index 300189a1e..21324d02c 100644 --- a/.github/workflows/svdconv.yml +++ b/.github/workflows/svdconv.yml @@ -32,6 +32,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: setup: uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main @@ -52,6 +55,8 @@ jobs: strategy: fail-fast: true matrix: ${{ fromJson(needs.matrix_prep.outputs.matrix) }} + permissions: + contents: write steps: - name: Harden Runner if: ${{ !github.event.repository.private }} diff --git a/.github/workflows/test_libs.yml b/.github/workflows/test_libs.yml index cb43e9ecf..d03f01e55 100644 --- a/.github/workflows/test_libs.yml +++ b/.github/workflows/test_libs.yml @@ -1,5 +1,3 @@ - - name: test_libs on: workflow_call: @@ -26,6 +24,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: setup: uses: Open-CMSIS-Pack/devtools/.github/workflows/shared_setup_env.yml@main diff --git a/.github/workflows/unit_test_results.yml b/.github/workflows/unit_test_results.yml index 25cebebb8..f71a1914c 100644 --- a/.github/workflows/unit_test_results.yml +++ b/.github/workflows/unit_test_results.yml @@ -1,5 +1,3 @@ - - name: Publish Test Results on: @@ -10,6 +8,9 @@ on: types: - completed +permissions: + contents: read + jobs: publish-test-results: name: Publish Test Results