From effb58fc63d33adbc1ec70aad19739e861fde491 Mon Sep 17 00:00:00 2001
From: Josh Soref <2119212+jsoref@users.noreply.github.com>
Date: Fri, 28 Jun 2024 09:05:44 -0400
Subject: [PATCH] infra/workflow: Reduce workflow permissions

By explicitly listing the permissions required in general, repositories
without restrictive permissions will only allocate the specified
permissions which is much safer than the default, fairly wide,
permissions grant.

Most workflows don't appear to need any permissions beyond
`contents: read` which is required for checkout (when a repository is
private). By specifying this permission, it tells GitHub not to include
any of its additional default permissions (when a repository is
configured permissively).

The .github/workflows/memcheck_*.sh scripts called by build_ubuntu.yml
require write permissions in order to post their output to a pull
request (as a comment).

In locked down GitHub repositories, unless a workflow/job asks for
write permissions, it will not have them and such API calls will result
in:

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://docs.github.com/rest/issues/comments#create-an-issue-comment",
  "status": "403"
}

By specifically requesting the permissions, the workflow will continue
to work as expected.
---
 .github/workflows/build_android.yml | 3 +++
 .github/workflows/build_ios.yml     | 3 +++
 .github/workflows/build_macos.yml   | 3 +++
 .github/workflows/build_ubuntu.yml  | 7 +++++++
 .github/workflows/build_windows.yml | 3 +++
 5 files changed, 19 insertions(+)

diff --git a/.github/workflows/build_android.yml b/.github/workflows/build_android.yml
index 612032cd..0224d82b 100644
--- a/.github/workflows/build_android.yml
+++ b/.github/workflows/build_android.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build_x86_64:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build_ios.yml b/.github/workflows/build_ios.yml
index ed7950ec..7840b5d1 100644
--- a/.github/workflows/build_ios.yml
+++ b/.github/workflows/build_ios.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build_x86_64:
     runs-on: macos-latest
diff --git a/.github/workflows/build_macos.yml b/.github/workflows/build_macos.yml
index 1e225f73..16c6128d 100644
--- a/.github/workflows/build_macos.yml
+++ b/.github/workflows/build_macos.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: macos-latest
diff --git a/.github/workflows/build_ubuntu.yml b/.github/workflows/build_ubuntu.yml
index 1cbdf6fc..b670c576 100644
--- a/.github/workflows/build_ubuntu.yml
+++ b/.github/workflows/build_ubuntu.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -45,6 +48,10 @@ jobs:
 
   unit_test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
     steps:
     - uses: actions/checkout@v4
       with:
diff --git a/.github/workflows/build_windows.yml b/.github/workflows/build_windows.yml
index 8589fcfd..12ba6837 100644
--- a/.github/workflows/build_windows.yml
+++ b/.github/workflows/build_windows.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: windows-latest