Set up permissions to github workflow to least privileges (#1718)

Closes #1717 As explained at #1717, github workflow standard behavior grant write-all permissions by default, which can be exploited by an attacker in case of a compromised workflow. To protect the project against this kinds of attacks, it is a Github and OpenSSF Scorecard recommendation to always use the least privilege definition on the workflows.
publicsuffix · Sep 13, 2023 · e3a0176 · e3a0176
1 parent d0e0d5e
commit e3a0176
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/.github/workflows/deploy-site.yml b/.github/workflows/deploy-site.yml
@@ -6,11 +6,12 @@ on:
     branches:
       - master
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   upload-website:
     uses: publicsuffix/publicsuffix.org/.github/workflows/deploy-site.yaml@master
+    permissions:
+      contents: read
+      id-token: write
     secrets: inherit
diff --git a/.github/workflows/tld-update.yml b/.github/workflows/tld-update.yml
@@ -4,10 +4,17 @@ on:
   schedule:
     # Run once a day at 15:00 UTC
     - cron:  '0 15 * * *'
+
+permissions:
+  contents: read
+
 jobs:
   psl-gtld-update:
     name: Check for TLD data updates
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
 
       - name: Check out code