Added top-level token permission and move write permission to job level

zibaiwan · zibaiwan · commit 03b3b55e1283 · 2024-01-03T11:34:27.000-08:00
diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml
@@ -5,6 +5,12 @@
 
 name: build on Windows
 
+# https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+permissions:
+  # Grant read permissions to repository in case it is not a forked public
+  # repository, but a private repository that was created manually.
+  contents: read
+
 on:
   push:
     paths:
diff --git a/.github/workflows/container-prune.yml b/.github/workflows/container-prune.yml
@@ -9,6 +9,12 @@ name: prune container images on self-hosted runners
 # docker permits only a single prune operation at a time
 concurrency: container-prune
 
+# https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+# https://github.com/ossf/scorecard/blob/2ef20f17fb2e64147c83440cd2c769653454015a/docs/checks.md#token-permissions
+permissions:
+  # top-level permissions must be defined for security reasons.
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -24,10 +24,6 @@ permissions:
   # repository, but a private repository that was created manually.
   contents: read
 
-  # If trigger-specific permissions were supported, write permissions to the
-  # container registry would only be needed for push events.
-  packages: write
-
 on:
   push:
     branches:
@@ -61,6 +57,11 @@ jobs:
   build:
     runs-on: ubuntu-20.04
 
+    permissions:
+      # If trigger-specific permissions were supported, write permissions to the
+      # container registry would only be needed for push events.
+      packages: write
+
     # This rebuilds all container images whenever any single Dockerfile is
     # changed. Therefore, when iterating on a container change, consider
     # temporarily commenting all but the container of interest below.
diff --git a/.github/workflows/fuzz-test.yml b/.github/workflows/fuzz-test.yml
@@ -1,5 +1,11 @@
 name: Runtime Fuzz Testing
 
+# https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+# https://github.com/ossf/scorecard/blob/2ef20f17fb2e64147c83440cd2c769653454015a/docs/checks.md#token-permissions
+permissions:
+  # top-level permissions must be defined for security reasons.
+  contents: read
+
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/unix.yml b/.github/workflows/unix.yml
@@ -9,6 +9,12 @@
 # enforce UNIX line endings for all except Windows-specific text files.
 name: ensure UNIX line endings
 
+# https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
+# https://github.com/ossf/scorecard/blob/2ef20f17fb2e64147c83440cd2c769653454015a/docs/checks.md#token-permissions
+permissions:
+  # top-level permissions must be defined for security reasons.
+  contents: read
+
 on:
   push:
   pull_request:
diff --git a/container/rockylinux-9-dev/Dockerfile b/container/rockylinux-9-dev/Dockerfile
@@ -23,7 +23,7 @@ RUN \
   && yum -y upgrade \
   && yum -y install \
   cmake \
-  curl \
+  # curl \ Start from rockylinux 9.2, curl is available by default
   elfutils-libelf-devel \
   gcc \
   gcc-c++ \
