From e262c66c5c2ff19b4b8a554693143fa38b64bd82 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edouard=20Choini=C3=A8re?=
 <27212526+echoix@users.noreply.github.com>
Date: Sat, 11 Jan 2025 16:33:40 +0000
Subject: [PATCH] CI: Restrict default permissions on GitHub Actions workflows

---
 .github/workflows/additional_checks.yml   |  2 ++
 .github/workflows/docker.yml              |  7 ++++++-
 .github/workflows/gcc.yml                 |  2 ++
 .github/workflows/macos.yml               |  3 +++
 .github/workflows/milestones.yml          |  7 ++++++-
 .github/workflows/osgeo4w.yml             |  2 ++
 .github/workflows/periodic_update.yml     |  6 ++++++
 .github/workflows/pytest.yml              |  2 ++
 .github/workflows/python-code-quality.yml |  2 ++
 .github/workflows/super-linter.yml        |  2 ++
 .github/workflows/ubuntu.yml              |  2 ++
 .github/workflows/verify-success.yml      | 12 +++++++-----
 12 files changed, 42 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/additional_checks.yml b/.github/workflows/additional_checks.yml
index 76554f24db3..3ec9b1fd0ac 100644
--- a/.github/workflows/additional_checks.yml
+++ b/.github/workflows/additional_checks.yml
@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   additional-checks:
     name: Additional checks
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 68a0fa03f11..5c0b54fdb7f 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -22,8 +22,9 @@ on:
   release:
     types: [published]
 
-jobs:
+permissions: {}
 
+jobs:
   # Run for push to configured branches and all published releases.
   # Take care of different os.
   # For main branch, created tags are:
@@ -47,6 +48,10 @@ jobs:
           - ubuntu_wxgui
       fail-fast: false
 
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
diff --git a/.github/workflows/gcc.yml b/.github/workflows/gcc.yml
index 6b6286ef3f0..9e508baf81f 100644
--- a/.github/workflows/gcc.yml
+++ b/.github/workflows/gcc.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     name: ${{ matrix.c }} & ${{ matrix.cpp }}
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 116c628b340..b0a95d348d5 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -14,6 +14,9 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
+
+permissions: {}
+
 jobs:
   macos_build:
     name: macOS build
diff --git a/.github/workflows/milestones.yml b/.github/workflows/milestones.yml
index e2ade4eb091..4e9fa634a75 100644
--- a/.github/workflows/milestones.yml
+++ b/.github/workflows/milestones.yml
@@ -5,12 +5,17 @@ on:
   pull_request_target:
     types: [closed]
 
+permissions: {}
+
 jobs:
   assign-milestone:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-      # Retreiving the current milestoone from API instead of github context,
+      # Retrieving the current milestone from API instead of github context,
       # so up-to-date information is used when running after being queued or for reruns
       # Otherwise, the information should be available using
       # ${{ github.event.pull_request.milestone.title }}
diff --git a/.github/workflows/osgeo4w.yml b/.github/workflows/osgeo4w.yml
index ef5d44581c1..5eb97761c03 100644
--- a/.github/workflows/osgeo4w.yml
+++ b/.github/workflows/osgeo4w.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     name: ${{ matrix.os }} build and tests
diff --git a/.github/workflows/periodic_update.yml b/.github/workflows/periodic_update.yml
index 64887e51827..a60d8a8e159 100644
--- a/.github/workflows/periodic_update.yml
+++ b/.github/workflows/periodic_update.yml
@@ -10,12 +10,18 @@ on:
     # See https://crontab.guru/#32_10_*/100,1-7_*_WED
     - cron: "32 10 */100,1-7 * WED"
 
+permissions: {}
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   update-configure:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: write
+      pull-requests: write
+
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Create URL to the run output
diff --git a/.github/workflows/pytest.yml b/.github/workflows/pytest.yml
index b8fb42ec342..be266a744cf 100644
--- a/.github/workflows/pytest.yml
+++ b/.github/workflows/pytest.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   pytest:
     concurrency:
diff --git a/.github/workflows/python-code-quality.yml b/.github/workflows/python-code-quality.yml
index 0ac0360168c..627dbfc13f3 100644
--- a/.github/workflows/python-code-quality.yml
+++ b/.github/workflows/python-code-quality.yml
@@ -8,6 +8,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   python-checks:
     name: Python Code Quality Checks
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
index 01a22f99edf..3138da70dda 100644
--- a/.github/workflows/super-linter.yml
+++ b/.github/workflows/super-linter.yml
@@ -12,6 +12,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   super-linter:
     name: GitHub Super Linter
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
index ffdb3083771..5f130a00812 100644
--- a/.github/workflows/ubuntu.yml
+++ b/.github/workflows/ubuntu.yml
@@ -10,6 +10,8 @@ on:
       - releasebranch_*
   pull_request:
 
+permissions: {}
+
 jobs:
   ubuntu:
     concurrency:
diff --git a/.github/workflows/verify-success.yml b/.github/workflows/verify-success.yml
index 237c239f576..92fff2e1d12 100644
--- a/.github/workflows/verify-success.yml
+++ b/.github/workflows/verify-success.yml
@@ -45,34 +45,36 @@ on:
         type: string
         required: true
         # Can't escape the handlebars in the description
-        description:
+        description: >-
           In the calling job that defines all the needed jobs,
           send `toJson(needs)` inside `$` followed by `{{ }}`
       fail_if_failure:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context was
           failed
       fail_if_cancelled:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context' was
           cancelled
       fail_if_skipped:
         type: boolean
         default: false
-        description:
+        description: >-
           If true, this workflow will fail if any job from 'needs_context' was
           skipped
       require_success:
         type: boolean
         default: true
-        description:
+        description: >-
           If true, this workflow will fail if no job from 'needs_context' was
           successful
 
+permissions: {}
+
 jobs:
   verify-success:
     name: Success