paritytech · tomaka · Aug 24, 2022 · Aug 24, 2022 · Oct 4, 2022
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -1,7 +1,14 @@
 name: recurrent-audit
+
 on:
   schedule:
     - cron: '0 0 * * *'
+  workflow_dispatch:  # Allow triggering through the UI
+
+permissions:
+  contents: read
+  issues: write
+
 jobs:
   audit:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/ci-post-workflow.yml b/.github/workflows/ci-post-workflow.yml
@@ -6,6 +6,8 @@ on:
     types:
       - completed
 
+permissions: read-all
+
 jobs:
   # This job is run after a pull request workflow has completed, potentially from a fork
   # repository. It downloads the artifact output of the workflow, then comments in the pull
@@ -18,6 +20,12 @@ jobs:
   wasm-node-size-diff:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
+    permissions:
+      - actions: read
+      # Giving write access to PRs means that a malicious action could be a nuisance, but in
+      # practice this is unlikely to happen, would have no major consequences, and would likely
+      # be quickly detected.
+      - pull-requests: write
     steps:
       # TODO: use download-artifact action
       - uses: actions/[email protected]

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -23,6 +23,9 @@ on:
     branches:
       - main   # Running the CI on the main branch is important in order to fill the caches that pull requests will pick up.
 
+# Disables all permissions apart from reading. While no secret is used anywhere, disabling just in case doesn't hurt.
+permissions: read-all
+
 jobs:
   test-64bits:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -23,9 +23,14 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   build-push-docker-image:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write  # TODO: problematic, as a malicious action could hijack the packages
     steps:
     - uses: docker/setup-qemu-action@v2
     - uses: docker/setup-buildx-action@v2
@@ -71,12 +76,14 @@ jobs:
         # Warning: this GitHub action doesn't seem to run prepublish scripts, hence
         # the `npm publish --dry-run` done right above is important to ensure this.
         with:
-          token: ${{ secrets.NPM_TOKEN }}
+          token: ${{ secrets.NPM_TOKEN }}   # TODO: problematic to pass this, in case the npm-publish action gets hijacked
           package: ./bin/wasm-node/javascript/package.json
           access: public
 
   deno-publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write   # Necessary because Deno publication works by pushing tags.   # TODO: improve security here by doing everything manually
     # This action checks if a certain git tag exists. If not, it compiles the JavaScript package,
     # then commits the compilation artifacts, tags the commit, and pushes the tag.
     steps: