infra/workflow: Reduce workflow permissions

By explicitly listing the permissions required in general, repositories without restrictive permissions will only allocate the specified permissions which is much safer than the default, fairly wide, permissions grant. Most workflows don't appear to need any permissions beyond `contents: read` which is required for checkout (when a repository is private). By specifying this permission, it tells GitHub not to include any of its additional default permissions (when a repository is configured permissively). The .github/workflows/memcheck_*.sh scripts called by build_ubuntu.yml require write permissions in order to post their output to a pull request (as a comment). In locked down GitHub repositories, unless a workflow/job asks for write permissions, it will not have them and such API calls will result in: { "message": "Resource not accessible by integration", "documentation_url": "https://docs.github.com/rest/issues/comments#create-an-issue-comment", "status": "403" } By specifically requesting the permissions, the workflow will continue to work as expected.
2025-06-07 21:23:32 +00:00 · 2024-06-28 09:05:44 -04:00 · 2024-06-28 09:05:44 -04:00 · effb58fc63
commit effb58fc63
parent 8663e33353
5 changed files with 19 additions and 0 deletions
--- a/.github/workflows/build_android.yml
+++ b/.github/workflows/build_android.yml
@ -8,6 +8,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  build_x86_64:
    runs-on: ubuntu-latest
--- a/.github/workflows/build_ios.yml
+++ b/.github/workflows/build_ios.yml
@ -8,6 +8,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  build_x86_64:
    runs-on: macos-latest
--- a/.github/workflows/build_macos.yml
+++ b/.github/workflows/build_macos.yml
@ -8,6 +8,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: macos-latest
--- a/.github/workflows/build_ubuntu.yml
+++ b/.github/workflows/build_ubuntu.yml
@ -8,6 +8,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
@ -45,6 +48,10 @@ jobs:

  unit_test:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+
    steps:
    - uses: actions/checkout@v4
      with:
--- a/.github/workflows/build_windows.yml
+++ b/.github/workflows/build_windows.yml
@ -8,6 +8,9 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: windows-latest