Merge pull request #6113 from osalyk/workflows_read

common: harden GitHub Actions

.github/workflows/docker_rebuild.yml

@@ -23,6 +23,8 @@ env:
  WORKDIR: utils/docker
  PUSH_IMAGE: 1
 
+permissions: {}
+
 jobs:
  image:
  if: github.repository == 'pmem/pmdk'

.github/workflows/main.yml

@@ -5,6 +5,8 @@ on:
  workflow_dispatch:
  pull_request:
 
+permissions: {}
+
 jobs:
  src_checkers:
  name: Source checkers

.github/workflows/nightly.yml

@@ -19,6 +19,8 @@ env:
  PMDK_CXX: g++
  SRC_CHECKERS: 0
 
+permissions: {}
+
 jobs:
  in-tree:
  name: In-tree

.github/workflows/pmem_benchmark.yml

@@ -10,13 +10,12 @@ on:
  type: string
  default: master
 
+permissions: {}
 
 jobs:
  prep_runtime:
  name: Prepare runtime
  runs-on: [self-hosted, benchmark]
- permissions:
- contents: read
  steps:
  - name: Clone the git repo
  uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -38,8 +37,6 @@ jobs:
  GITHUB_REF: ${{ inputs.reference_ref }}
  - ROLE: rival
  GITHUB_REF: ${{ inputs.rival_ref }}
- permissions:
- contents: read
  env:
  MANIFEST: ${{ matrix.ROLE }}/manifest.txt
  steps:

.github/workflows/pmem_ras.yml

@@ -30,6 +30,8 @@ on:
  # run this job every 8 hours
  - cron: '0 */8 * * *'
 
+permissions: {}
+
 jobs:
  linux:
  name: PMEM_RAS

.github/workflows/pmem_test_matrix.yml

@@ -17,6 +17,8 @@ on:
  type: number
  default: 360 # The jobs.<job_id>.timeout-minutes default.
 
+permissions: {}
+
 jobs:
  job:
  name: ${{ matrix.force_enable }}, ${{ matrix.test_script }}, ${{ matrix.os }}, ${{ matrix.build }}

.github/workflows/pmem_tests.yml

@@ -9,6 +9,8 @@ on:
  # run this job at 18:00 UTC every day
  - cron: '0 18 * * *'
 
+permissions: {}
+
 jobs:
  # Test the default build with the basic test suite.
  Basic:

.github/workflows/scan_bandit.yml

@@ -9,6 +9,8 @@ env:
  PMREORDER: src/tools/pmreorder/*.py
  CALL_STACKS_ANALYSIS: utils/call_stacks_analysis/*.py
 
+permissions: {}
+
 jobs:
  bandit:
  name: Bandit

.github/workflows/scan_codeql.yml

@@ -4,14 +4,15 @@ name: CodeQL
 on:
  workflow_call:
 
+permissions:
+ actions: read
+ contents: read
+ security-events: write
+
 jobs:
  codeql:
  name: CodeQL
  runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- security-events: write
 
  steps:
  - name: Clone the git repo

.github/workflows/scan_coverage.yml

@@ -24,6 +24,8 @@ env:
  TEST_BUILD: debug
  FAULT_INJECTION: 1
 
+permissions: {}
+
 jobs:
  linux:
  name: Linux

.github/workflows/scan_coverity.yml

@@ -21,6 +21,8 @@ env:
  VALGRIND: 1
  COVERITY: 1
 
+permissions: {}
+
 jobs:
  linux:
  name: Linux

.github/workflows/scan_documentation.yml

@@ -4,6 +4,8 @@ name: Documentation
 on:
  workflow_call:
 
+permissions: {}
+
 jobs:
  linux:
  name: Documentation

.github/workflows/scan_log_calls.yml

@@ -5,6 +5,7 @@ on:
  workflow_dispatch:
  workflow_call:
 
+permissions: {}
 
 jobs:
  log-calls:

.github/workflows/scan_stack_usage.yml

@@ -8,6 +8,8 @@ on:
 env:
  CALL_STACKS_TOOLS_PATH: pmdk/utils/call_stacks_analysis
 
+permissions: {}
+
 jobs:
  stack-usage:
  name: Stack usage

.github/workflows/scan_ubsan.yml

@@ -18,6 +18,8 @@ env:
  UBSAN: 1
  FAULT_INJECTION: 1
 
+permissions: {}
+
 jobs:
  linux:
  name: Linux

.github/workflows/scans.yml

@@ -7,13 +7,19 @@ on:
  # run this job at 00:00 UTC every day
  - cron: '0 0 * * *'
 
+permissions: {}
+
 jobs:
  call-bandit:
  uses: ./.github/workflows/scan_bandit.yml
  name: Bandit
  call-codeql:
  uses: ./.github/workflows/scan_codeql.yml
  name: CodeQL
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
  call-coverity:
  uses: ./.github/workflows/scan_coverity.yml
  secrets:

.github/workflows/ubuntu.yml

@@ -8,6 +8,8 @@ env:
  GITHUB_REPO: pmem/pmdk
  DOCKER_REPO: ghcr.io/pmem/pmdk
 
+permissions: {}
+
 jobs:
  linux:
  name: Linux