From d91078491c3b1fb371d5a23c9725ab57a4be17b0 Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Tue, 12 Dec 2023 10:16:12 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/CIBase.yml               | 3 +++
 .github/workflows/changelog-updater.yml    | 5 +++++
 .github/workflows/docker.yml               | 3 +++
 .github/workflows/inactivity.yml           | 3 +++
 .github/workflows/markdown-links-check.yml | 3 +++
 .github/workflows/release-drafter.yml      | 6 ++++++
 6 files changed, 23 insertions(+)

diff --git a/.github/workflows/CIBase.yml b/.github/workflows/CIBase.yml
index 52c43a7c30..9ad3fd0870 100644
--- a/.github/workflows/CIBase.yml
+++ b/.github/workflows/CIBase.yml
@@ -7,6 +7,9 @@ on:
       - 'release/**'
       - 'support/**'
 
+permissions:
+  contents: read
+
 jobs:
   starter:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/changelog-updater.yml b/.github/workflows/changelog-updater.yml
index c9963e58cc..cb95cc1f61 100644
--- a/.github/workflows/changelog-updater.yml
+++ b/.github/workflows/changelog-updater.yml
@@ -4,8 +4,13 @@ on:
   release:
     types: [released]
 
+permissions:
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for stefanzweifel/git-auto-commit-action to push code in repo
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index befc6b0336..ffacb871e9 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -17,6 +17,9 @@ on:
                 required: true
                 default: 'heat:1.3.0_torch2.0.0_cu12.1'
                 type: string
+permissions:
+  contents: read
+
 jobs:
     build-and-push-img:
         runs-on: ubuntu-latest
diff --git a/.github/workflows/inactivity.yml b/.github/workflows/inactivity.yml
index 5ca6e28768..8e9ef8a8f6 100644
--- a/.github/workflows/inactivity.yml
+++ b/.github/workflows/inactivity.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "30 1 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/markdown-links-check.yml b/.github/workflows/markdown-links-check.yml
index 892bc2b02d..f394a60050 100644
--- a/.github/workflows/markdown-links-check.yml
+++ b/.github/workflows/markdown-links-check.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 9 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   check-links:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
index a7cf0406fd..309bcbd5aa 100644
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -4,8 +4,14 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
+    permissions:
+      contents: write  # for release-drafter/release-drafter to create a github release
+      pull-requests: write  # for release-drafter/release-drafter to add label to PR
     runs-on: ubuntu-latest
     steps:
       - uses: release-drafter/release-drafter@v5