From 4246fad6863e603c7579fa19f9cc0892818f1f0f Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Thu, 24 Apr 2025 05:08:31 +0000
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/ci.yml                         | 3 +++
 .github/workflows/clang-tidy.yaml                | 3 +++
 .github/workflows/cmake_install.yml              | 3 +++
 .github/workflows/codeql-analysis.yml            | 7 +++++++
 .github/workflows/cppcheck.yml                   | 3 +++
 .github/workflows/dependencies_image.yml         | 3 +++
 .github/workflows/project_management_comment.yml | 3 +++
 7 files changed, 25 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c2a36a97d9..9b9fad3676 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
 
 # Commented 2024-11-06, lack of workers in github causes CI failures
diff --git a/.github/workflows/clang-tidy.yaml b/.github/workflows/clang-tidy.yaml
index 8a2c3c1b9b..a894292e00 100644
--- a/.github/workflows/clang-tidy.yaml
+++ b/.github/workflows/clang-tidy.yaml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   clang-tidy:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/cmake_install.yml b/.github/workflows/cmake_install.yml
index ed4411398a..eb73b8e333 100644
--- a/.github/workflows/cmake_install.yml
+++ b/.github/workflows/cmake_install.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   windows_2022_vcpkg_submodule:
     name: Windows 2022 vcpkg submodule versions cxx17 (static libs - dll)
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 684e925c37..f21eae719a 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -7,8 +7,15 @@ on:
     # The branches below must be a subset of the branches above
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   CodeQL-Build:
+    permissions:
+      actions: read  # for github/codeql-action/init to get workflow details
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/autobuild to send a status report
     runs-on: ubuntu-latest
     steps:
     - name: Checkout repository
diff --git a/.github/workflows/cppcheck.yml b/.github/workflows/cppcheck.yml
index a1239c75a1..df51371a2d 100644
--- a/.github/workflows/cppcheck.yml
+++ b/.github/workflows/cppcheck.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   cppcheck:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/dependencies_image.yml b/.github/workflows/dependencies_image.yml
index 9e5043e91d..8af57aa891 100644
--- a/.github/workflows/dependencies_image.yml
+++ b/.github/workflows/dependencies_image.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "0 3 * * 6"
 
+permissions:
+  contents: read
+
 jobs:
   docker_image:
     name: Docker Image
diff --git a/.github/workflows/project_management_comment.yml b/.github/workflows/project_management_comment.yml
index bddf31549a..621ff9e174 100644
--- a/.github/workflows/project_management_comment.yml
+++ b/.github/workflows/project_management_comment.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types:
       - labeled
+permissions:
+  contents: read
+
 jobs:
   add-comment:
     if: github.event.label.name == 'help wanted'