falcosecurity · poiana · Sep 4, 2024 · Aug 17, 2024 · Aug 28, 2024
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+
 jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -18,6 +18,9 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ "master" ]
 
+permissions:  
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml
@@ -1,6 +1,10 @@
 name: Codespell
 on:
   pull_request:
+
+permissions:  
+  contents: read
+
 jobs:
   codespell:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/engine-version-weakcheck.yaml b/.github/workflows/engine-version-weakcheck.yaml
@@ -9,6 +9,9 @@ on:
       - 'userspace/engine/*.cpp'
       - 'userspace/engine/*.h'
 
+permissions:  
+  contents: read
+
 jobs:
   paths-filter:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/insecure-api.yaml b/.github/workflows/insecure-api.yaml
@@ -6,6 +6,9 @@ on:
       - 'release/**'
       - 'maintainers/**'
 
+permissions:  
+  contents: read
+
 jobs:
   insecure-api:
     name: check-insecure-api

diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
@@ -8,6 +8,9 @@ concurrency:
   group: ci-master
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+
 jobs:
   fetch-version:
     uses: ./.github/workflows/reusable_fetch_version.yaml 

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -8,6 +8,9 @@ concurrency:
   group: ci-release
   cancel-in-progress: true  
 
+permissions:  
+  contents: read
+
 jobs:
   release-settings:
     runs-on: ubuntu-latest
@@ -16,7 +19,7 @@ jobs:
       bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
     steps:
       - name: Get latest release
-        uses: rez0n/actions-github-release@v2.0
+        uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
         id: latest_release
         env:
           token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/reusable_build_dev.yaml b/.github/workflows/reusable_build_dev.yaml
@@ -33,6 +33,9 @@ on:
         default: ''
         type: string
 
+permissions: 
+  contents: read
+
 jobs:
   build-and-test:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

diff --git a/.github/workflows/reusable_build_docker.yaml b/.github/workflows/reusable_build_docker.yaml
@@ -24,6 +24,10 @@ on:
 # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
 # In this way, we don't need to publish any arch specific image, 
 # and this "build" workflow is actually only building images.
+
+permissions:  
+  contents: read
+
 jobs:
   build-docker:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

diff --git a/.github/workflows/reusable_build_packages.yaml b/.github/workflows/reusable_build_packages.yaml
@@ -21,6 +21,9 @@ on:
         type: boolean
         default: false
 
+permissions:  
+  contents: read
+
 jobs:
   build-modern-bpf-skeleton:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

diff --git a/.github/workflows/reusable_fetch_version.yaml b/.github/workflows/reusable_fetch_version.yaml
@@ -6,6 +6,9 @@ on:
         description: "Falco version"
         value: ${{ jobs.fetch-version.outputs.version }}
 
+permissions:  
+  contents: read
+
 jobs:
   # We need to use an ubuntu-latest to fetch Falco version because
   # Falco version is computed by some cmake scripts that do git sorceries

diff --git a/.github/workflows/reusable_test_packages.yaml b/.github/workflows/reusable_test_packages.yaml
@@ -21,6 +21,9 @@ on:
         default: false
         type: boolean
 
+permissions:  
+  contents: read
+
 jobs:
   test-packages:
     # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
@@ -54,7 +57,7 @@ jobs:
       - name: Run tests
         env:
           LSAN_OPTIONS: "intercept_tls_get_addr=0"
-        uses: falcosecurity/testing@main    
+        uses: falcosecurity/testing@main 
         with:
           test-falco: 'true'
           test-falcoctl: 'true'

diff --git a/.github/workflows/staticanalysis.yaml b/.github/workflows/staticanalysis.yaml
@@ -1,6 +1,9 @@
 name: StaticAnalysis
 on:
   pull_request:
+permissions:  
+  contents: read
+
 jobs:
   staticanalysis:
     runs-on: ubuntu-22.04