From 17984fa31b2800d1a4dfed7a9ca00980fb231e87 Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Sat, 12 Nov 2022 08:42:01 +0200
Subject: [PATCH] GitHub Workflows security hardening (#3470)

* build: harden docker-publish.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden website.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden changesets.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

* build: harden static-data.yml permissions

Signed-off-by: Alex <aleksandrosansan@gmail.com>

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/changesets.yml     | 3 +++
 .github/workflows/docker-publish.yml | 4 ++++
 .github/workflows/static-data.yml    | 4 ++++
 .github/workflows/website.yml        | 8 ++++++++
 4 files changed, 19 insertions(+)

diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
index 792d5c2f0..798c2eb0d 100644
--- a/.github/workflows/changesets.yml
+++ b/.github/workflows/changesets.yml
@@ -12,6 +12,9 @@ env:
   CI: true
   PNPM_CACHE_FOLDER: .pnpm-store
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   # Update package versions from changesets.
   version:
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 03f89f99f..de0ba5153 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -15,6 +15,10 @@ on:
       - 'master'
     tags:
       - 'v*'
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   docker:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/static-data.yml b/.github/workflows/static-data.yml
index 13ac4e8ee..a6019028d 100644
--- a/.github/workflows/static-data.yml
+++ b/.github/workflows/static-data.yml
@@ -10,6 +10,10 @@ on:
   # push:
   #   branches:
   #     - master
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   prepare:
     name: Run script
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index 9ebf31d34..929176419 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -9,8 +9,16 @@ on:
   schedule:
     - cron: '0 0 * * *' 
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      deployments: write
+      pull-requests: write  #  to comment on pull-requests
+
     runs-on: ubuntu-latest
     env:
       NODE_OPTIONS: --max_old_space_size=4096