[actions] improve default action permissions

ljharb · ljharb · commit c20db2ab86bd · 2024-06-10T08:59:48.000-07:00
diff --git a/.github/workflows/latest-npm.yml b/.github/workflows/latest-npm.yml
@@ -2,6 +2,9 @@ name: 'Tests: `nvm install-latest-npm`'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,10 +2,11 @@ name: 'Tests: linting'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   eclint:
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@v2
@@ -23,8 +24,6 @@ jobs:
       - run: npm run eclint
 
   dockerfile_lint:
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@v2
@@ -44,8 +43,6 @@ jobs:
       - run: npm run dockerfile_lint
 
   doctoc:
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@v2
@@ -63,8 +60,6 @@ jobs:
       - run: npm run doctoc:check
 
   test_naming:
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@v2
diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml
@@ -2,6 +2,9 @@ name: Automatic Rebase
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
     permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,10 +2,11 @@ name: 'Tests: release process'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   release:
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml
@@ -2,6 +2,9 @@ name: Require “Allow Edits”
 
 on: [pull_request_target]
 
+permissions:
+  contents: read
+
 jobs:
   _:
     permissions:
diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml
@@ -2,10 +2,11 @@ name: 'Tests: shellcheck'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck_matrix:
-    permissions:
-      contents: read
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -52,8 +53,4 @@ jobs:
       needs: [shellcheck_matrix]
       runs-on: ubuntu-latest
       steps:
-        - name: Harden Runner
-          uses: step-security/harden-runner@v2
-          with:
-            egress-policy: block
         - run: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -2,6 +2,9 @@ name: urchin tests
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     permissions:
@@ -49,6 +52,8 @@ jobs:
       - run: make TERM=xterm-256color TEST_SUITE="${{ matrix.suite }}" SHELL="${{ matrix.shell }}" URCHIN="$(npx which urchin)" test-${{ matrix.shell }}
 
   nvm:
+    permissions:
+      contents: none
     name: 'all test suites, all shells'
     needs: [tests]
     runs-on: ubuntu-latest
diff --git a/.github/workflows/toc.yml b/.github/workflows/toc.yml
@@ -2,6 +2,9 @@ name: update readme TOC
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   _:
     permissions:
diff --git a/.github/workflows/windows-npm.yml b/.github/workflows/windows-npm.yml
@@ -2,6 +2,9 @@ name: 'Tests on Windows: `nvm install`'
 
 on: [pull_request, push]
 
+permissions:
+  contents: read
+
 env:
   NVM_INSTALL_GITHUB_REPO: ${{ github.repository }}
   NVM_INSTALL_VERSION: ${{ github.sha }}
