From 74b0efcab4cda4d4fb2d6a5cdf10f697e8906b7f Mon Sep 17 00:00:00 2001
From: Pierre Krieger <pierre.krieger1708@gmail.com>
Date: Wed, 24 Aug 2022 09:43:55 +0200
Subject: [PATCH 1/2] Set the permissions of GitHub actions

---
 .github/workflows/audit.yml            |  7 +++++++
 .github/workflows/ci-post-workflow.yml |  8 ++++++++
 .github/workflows/ci.yml               |  3 +++
 .github/workflows/deploy.yml           | 11 +++++++++--
 4 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
index dc33804fa4..d486585791 100644
--- a/.github/workflows/audit.yml
+++ b/.github/workflows/audit.yml
@@ -1,7 +1,14 @@
 name: recurrent-audit
+
 on:
   schedule:
     - cron: '0 0 * * *'
+  workflow_dispatch:  # Allow triggering through the UI
+
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   audit:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/ci-post-workflow.yml b/.github/workflows/ci-post-workflow.yml
index 6c65a19ba6..fccd54ce9f 100644
--- a/.github/workflows/ci-post-workflow.yml
+++ b/.github/workflows/ci-post-workflow.yml
@@ -6,6 +6,8 @@ on:
     types:
       - completed
 
+permissions: read-all
+
 jobs:
   # This job is run after a pull request workflow has completed, potentially from a fork
   # repository. It downloads the artifact output of the workflow, then comments in the pull
@@ -18,6 +20,12 @@ jobs:
   wasm-node-size-diff:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
+    permissions:
+      - actions: read
+      # Giving write access to PRs means that a malicious action could be a nuisance, but in
+      # practice this is unlikely to happen, would have no major consequences, and would likely
+      # be quickly detected.
+      - pull-requests: write
     steps:
       # TODO: use download-artifact action
       - uses: actions/github-script@v3.1.0
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ff23b17dea..e07b70ad2d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -23,6 +23,9 @@ on:
     branches:
       - main   # Running the CI on the main branch is important in order to fill the caches that pull requests will pick up.
 
+# Disables all permissions apart from reading. While no secret is used anywhere, disabling just in case doesn't hurt.
+permissions: read-all
+
 jobs:
   test-64bits:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index e8cc5c92da..4890c2607f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -23,9 +23,14 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   build-push-docker-image:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
     - uses: docker/setup-qemu-action@v2
     - uses: docker/setup-buildx-action@v2
@@ -36,7 +41,7 @@ jobs:
       with:
         registry: docker.pkg.github.com
         username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
+        password: ${{ secrets.GITHUB_TOKEN }}  # TODO: problematic in case the login-action gets hijacked
     - uses: docker/build-push-action@v3.1.1
       with:
         context: .
@@ -71,12 +76,14 @@ jobs:
         # Warning: this GitHub action doesn't seem to run prepublish scripts, hence
         # the `npm publish --dry-run` done right above is important to ensure this.
         with:
-          token: ${{ secrets.NPM_TOKEN }}
+          token: ${{ secrets.NPM_TOKEN }}   # TODO: problematic to pass this, in case the npm-publish action gets hijacked
           package: ./bin/wasm-node/javascript/package.json
           access: public
 
   deno-publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write   # Necessary because Deno publication works by pushing tags.   # TODO: improve security here by doing everything manually
     # This action checks if a certain git tag exists. If not, it compiles the JavaScript package,
     # then commits the compilation artifacts, tags the commit, and pushes the tag.
     steps:

From efe78fafb9b3825083c18c0c4861757cb709f8aa Mon Sep 17 00:00:00 2001
From: Pierre Krieger <pierre.krieger1708@gmail.com>
Date: Wed, 24 Aug 2022 09:46:07 +0200
Subject: [PATCH 2/2] Move a TODO

---
 .github/workflows/deploy.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 4890c2607f..610cac3e50 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -30,7 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
+      packages: write  # TODO: problematic, as a malicious action could hijack the packages
     steps:
     - uses: docker/setup-qemu-action@v2
     - uses: docker/setup-buildx-action@v2
@@ -41,7 +41,7 @@ jobs:
       with:
         registry: docker.pkg.github.com
         username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}  # TODO: problematic in case the login-action gets hijacked
+        password: ${{ secrets.GITHUB_TOKEN }}
     - uses: docker/build-push-action@v3.1.1
       with:
         context: .