From 8c32d26bfcdcfd4d5f61dec8d264dd1573a6abc3 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Mon, 3 Oct 2022 18:17:04 +0300
Subject: [PATCH] GitHub Workflows security hardening (#5138)

* build: harden comment.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden ci.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden release.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/ci.yml      |  3 +++
 .github/workflows/comment.yml | 12 ++++++++++++
 .github/workflows/release.yml |  5 +++++
 3 files changed, 20 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 344ccd5fe..b4f8915c4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ on:
   - push
   - pull_request
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   ci:
     name: ${{ matrix.command }}
diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml
index 0fd62aa73..cf1180004 100644
--- a/.github/workflows/comment.yml
+++ b/.github/workflows/comment.yml
@@ -6,8 +6,16 @@ on:
     types:
       - created
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+  pull-requests: read # to get info about PR (cirrus-actions/rebase)
+
 jobs:
   rebase:
+    permissions:
+      contents: write # to push code to rebase (cirrus-actions/rebase)
+      pull-requests: read # to get info about PR (cirrus-actions/rebase)
+
     name: rebase
     runs-on: ubuntu-latest
     if: |
@@ -25,6 +33,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   release_next:
+    permissions:
+      contents: read # to fetch code (actions/checkout)
+      pull-requests: write # to create or update comment (peter-evans/create-or-update-comment)
+
     name: release:next
     runs-on: ubuntu-latest
     if: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 07c703b3c..d4860a7b1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,8 +5,13 @@ on:
     branches:
       - main
 
+permissions: {}
 jobs:
   release:
+    permissions:
+      contents: write # to create release (changesets/action)
+      pull-requests: write # to create pull request (changesets/action)
+
     name: ${{ matrix.channel }}
     runs-on: ubuntu-latest
     strategy: