From dc970965025c63265b9099ec40c8787818f30da5 Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <rchincha@cisco.com>
Date: Mon, 11 Jul 2022 19:54:49 +0000
Subject: [PATCH] restrict workflow action permissions

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
---
 .github/dependabot.yml           | 11 +++++++++++
 .github/workflows/benchmark.yaml |  2 ++
 .github/workflows/cloc.yml       |  3 +++
 .github/workflows/cluster.yaml   |  2 ++
 .github/workflows/dco.yml        |  3 +++
 .github/workflows/license.yaml   |  2 ++
 .github/workflows/tls.yaml       |  2 ++
 README.md                        |  2 +-
 8 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 00000000..ac6621f1
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml
index a1ef8e3d..1729fe86 100644
--- a/.github/workflows/benchmark.yaml
+++ b/.github/workflows/benchmark.yaml
@@ -7,6 +7,8 @@ on:
     # The branches below must be a subset of the branches above
     branches: [main]
 
+permissions: read-all
+
 jobs:
   benchmark:
     name: Performance regression check
diff --git a/.github/workflows/cloc.yml b/.github/workflows/cloc.yml
index 655cb187..24149412 100644
--- a/.github/workflows/cloc.yml
+++ b/.github/workflows/cloc.yml
@@ -9,6 +9,9 @@ on:
   release:
     types:
       - published
+
+permissions: read-all
+
 jobs:
   loc:
     name: Lines of code
diff --git a/.github/workflows/cluster.yaml b/.github/workflows/cluster.yaml
index fdb92a30..663ddf22 100644
--- a/.github/workflows/cluster.yaml
+++ b/.github/workflows/cluster.yaml
@@ -9,6 +9,8 @@ on:
     types:
       - published
 
+permissions: read-all
+
 jobs:
   client-tools:
     name: Stateless zot with shared reliable storage
diff --git a/.github/workflows/dco.yml b/.github/workflows/dco.yml
index efe506c4..cfec6e55 100644
--- a/.github/workflows/dco.yml
+++ b/.github/workflows/dco.yml
@@ -5,6 +5,9 @@ on:
   push:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/license.yaml b/.github/workflows/license.yaml
index 770558ce..a414a7e8 100644
--- a/.github/workflows/license.yaml
+++ b/.github/workflows/license.yaml
@@ -11,6 +11,8 @@ on:
     # The branches below must be a subset of the branches above
     branches: [main]
 
+permissions: read-all
+
 jobs:
   license-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tls.yaml b/.github/workflows/tls.yaml
index ab119191..a2c2a526 100644
--- a/.github/workflows/tls.yaml
+++ b/.github/workflows/tls.yaml
@@ -7,6 +7,8 @@ on:
     # The branches below must be a subset of the branches above
     branches: [main]
 
+permissions: read-all
+
 jobs:
   tls-check:
     runs-on: ubuntu-latest
diff --git a/README.md b/README.md
index 316e389e..42f069c3 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# zot [![build-test](https://github.com/project-zot/zot/actions/workflows/ci-cd.yml/badge.svg?branch=main)](https://github.com/project-zot/zot/actions/workflows/ci-cd.yml) [![codecov.io](http://codecov.io/github/project-zot/zot/coverage.svg?branch=main)](http://codecov.io/github/project-zot/zot?branch=main) [![Conformance Results](https://github.com/project-zot/zot/workflows/conformance/badge.svg)](https://github.com/project-zot/zot/actions?query=workflow%3Aconformance) [![CodeQL](https://github.com/project-zot/zot/workflows/CodeQL/badge.svg)](https://github.com/project-zot/zot/actions?query=workflow%3ACodeQL)
+# zot [![build-test](https://github.com/project-zot/zot/actions/workflows/ci-cd.yml/badge.svg?branch=main)](https://github.com/project-zot/zot/actions/workflows/ci-cd.yml) [![codecov.io](http://codecov.io/github/project-zot/zot/coverage.svg?branch=main)](http://codecov.io/github/project-zot/zot?branch=main) [![Conformance Results](https://github.com/project-zot/zot/workflows/conformance/badge.svg)](https://github.com/project-zot/zot/actions?query=workflow%3Aconformance) [![CodeQL](https://github.com/project-zot/zot/workflows/CodeQL/badge.svg)](https://github.com/project-zot/zot/actions?query=workflow%3ACodeQL) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/5425/badge)](https://bestpractices.coreinfrastructure.org/projects/5425)
 
 **zot**: a production-ready vendor-neutral OCI image registry - images stored in [OCI image format](https://github.com/opencontainers/image-spec), [distribution specification](https://github.com/opencontainers/distribution-spec) on-the-wire, that's it!