From c27048a57da2b8b7baed91fbe59d4232308bd69c Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Thu, 5 Mar 2026 04:47:09 -0800
Subject: [PATCH] [StepSecurity] ci: Harden GitHub Actions (#9356)

* [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

* imprement coderabbit recommendations

---------

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
Co-authored-by: Igor Velkov <325961+iav@users.noreply.github.com>
---
 .github/workflows/data-sync-board-list.yml            | 3 +++
 .github/workflows/data-sync-labels.yml                | 3 +++
 .github/workflows/infrastructure-dispatch-to-fork.yml | 3 +++
 .github/workflows/maintenance-announce-merge.yml      | 3 +++
 .github/workflows/maintenance-announce-pr.yml         | 7 +++++--
 .github/workflows/maintenance-check-board-assets.yml  | 3 +++
 .github/workflows/maintenance-clean-workflow-logs.yml | 3 +++
 .github/workflows/maintenance-label-on-approval.yml   | 6 +++++-
 .github/workflows/maintenance-listen-review.yml       | 3 +++
 .github/workflows/maintenance-welcome-issue.yml       | 3 +++
 .github/workflows/maintenance-welcome-pr.yml          | 3 +++
 11 files changed, 37 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/data-sync-board-list.yml b/.github/workflows/data-sync-board-list.yml
index 01fbfab1ff..0769cd2772 100644
--- a/.github/workflows/data-sync-board-list.yml
+++ b/.github/workflows/data-sync-board-list.yml
@@ -7,6 +7,9 @@ on:
       - "config/boards/*.*"
     branches: [main]
 
+permissions:
+  contents: read
+
 jobs:
   update-board-list-dispatch:
     name: Send dispatch
diff --git a/.github/workflows/data-sync-labels.yml b/.github/workflows/data-sync-labels.yml
index 21a645c17a..17464b066f 100644
--- a/.github/workflows/data-sync-labels.yml
+++ b/.github/workflows/data-sync-labels.yml
@@ -12,6 +12,9 @@ on:
     paths:
       - ".github/labels.yml"
 
+permissions:
+  contents: read
+
 jobs:
   labeler:
     permissions:
diff --git a/.github/workflows/infrastructure-dispatch-to-fork.yml b/.github/workflows/infrastructure-dispatch-to-fork.yml
index 45cf78bcd7..ddb2f22d1f 100644
--- a/.github/workflows/infrastructure-dispatch-to-fork.yml
+++ b/.github/workflows/infrastructure-dispatch-to-fork.yml
@@ -8,6 +8,9 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   dispatch-on-forked-repo:
     name: 📢 Run repository dispatch on fork
diff --git a/.github/workflows/maintenance-announce-merge.yml b/.github/workflows/maintenance-announce-merge.yml
index 05d743f3c1..0ba435de99 100644
--- a/.github/workflows/maintenance-announce-merge.yml
+++ b/.github/workflows/maintenance-announce-merge.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   announcepush:
     # Do not run this workflow in forks
diff --git a/.github/workflows/maintenance-announce-pr.yml b/.github/workflows/maintenance-announce-pr.yml
index 4e316789a8..5f1017338f 100644
--- a/.github/workflows/maintenance-announce-pr.yml
+++ b/.github/workflows/maintenance-announce-pr.yml
@@ -5,11 +5,14 @@ on:
   pull_request:
     types: [ labeled ]
 
+permissions:
+  contents: read
+
 jobs:
   Announce:
     permissions:
       pull-requests: read
-
+      contents: read
     runs-on: ubuntu-latest
     if: ${{ github.repository == 'armbian/build' && github.event.label.id == '6210849975' }}
     steps:
@@ -22,4 +25,4 @@ jobs:
           curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST --data \
           "{\"username\": \"Github\", \"avatar_url\": \"${{ secrets.AVATARURL }}\", \"content\": \"\
           :arrow_heading_up: **Pull request** to [$GITHUB_REPOSITORY](<$GITHUB_SERVER_URL/$GITHUB_REPOSITORY>) by [$GITHUB_ACTOR](<$GITHUB_SERVER_URL/$GITHUB_ACTOR>) - **Please review!** \
-          :point_right: [Link](<$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/${{github.event.pull_request.number}}>): *$(git show -s --format=%s)*\"}" ${{ secrets.WEBHOOKURL }}
+          :point_right: [Link](<$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/${{github.event.pull_request.number}}>): *$(git show -s --format=%s)*\"}" ${{ secrets.WEBHOOKURL }}
\ No newline at end of file
diff --git a/.github/workflows/maintenance-check-board-assets.yml b/.github/workflows/maintenance-check-board-assets.yml
index 925c40570e..035c36e138 100644
--- a/.github/workflows/maintenance-check-board-assets.yml
+++ b/.github/workflows/maintenance-check-board-assets.yml
@@ -13,6 +13,9 @@ env:
   BOARD_IMAGES_DIR: "board-images"
   VENDOR_LOGOS_DIR: "board-vendor-logos"
 
+permissions:
+  contents: read
+
 jobs:
   Check:
     name: "Verify assets for newly added boards"
diff --git a/.github/workflows/maintenance-clean-workflow-logs.yml b/.github/workflows/maintenance-clean-workflow-logs.yml
index 5815e95d2f..ecb3812438 100644
--- a/.github/workflows/maintenance-clean-workflow-logs.yml
+++ b/.github/workflows/maintenance-clean-workflow-logs.yml
@@ -15,6 +15,9 @@ env:
   SCHEDULED_RUNS_OLDER_THAN: "10"
   SCHEDULED_RUNS_TO_KEEP: "0"
 
+permissions:
+  contents: read
+
 jobs:
   clean-logs:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/maintenance-label-on-approval.yml b/.github/workflows/maintenance-label-on-approval.yml
index 0f5ddcd509..8e1c71b141 100644
--- a/.github/workflows/maintenance-label-on-approval.yml
+++ b/.github/workflows/maintenance-label-on-approval.yml
@@ -4,11 +4,15 @@ on:
     workflows: ["Maintenance: Listen PR review"]
     types: [completed]
 
+permissions:
+  contents: read
+
 jobs:
   label:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     permissions:
+      actions: read
       contents: read
       issues: write
       pull-requests: write
@@ -51,4 +55,4 @@ jobs:
               } catch (e) {
                 core.warning(`Could not remove label "${name}": ${e.message}`);
               }
-            }
+            }
\ No newline at end of file
diff --git a/.github/workflows/maintenance-listen-review.yml b/.github/workflows/maintenance-listen-review.yml
index 3ea6277533..6e31c36d3e 100644
--- a/.github/workflows/maintenance-listen-review.yml
+++ b/.github/workflows/maintenance-listen-review.yml
@@ -3,6 +3,9 @@ on:
   pull_request_review:
     types: [submitted]
 
+permissions:
+  contents: read
+
 jobs:
   ping:
     if: ${{ github.event.review.state == 'approved' }}
diff --git a/.github/workflows/maintenance-welcome-issue.yml b/.github/workflows/maintenance-welcome-issue.yml
index 6b59b47d77..cf38795ccd 100644
--- a/.github/workflows/maintenance-welcome-issue.yml
+++ b/.github/workflows/maintenance-welcome-issue.yml
@@ -4,6 +4,9 @@ on:
   issues:
     types: opened
 
+permissions:
+  contents: read
+
 jobs:
   welcome-first-time-contributor:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/maintenance-welcome-pr.yml b/.github/workflows/maintenance-welcome-pr.yml
index 729dca7c91..ff2c1b1e20 100644
--- a/.github/workflows/maintenance-welcome-pr.yml
+++ b/.github/workflows/maintenance-welcome-pr.yml
@@ -4,6 +4,9 @@ on:
   pull_request_target:
     types: opened
 
+permissions:
+  contents: read
+
 jobs:
   welcome-first-time-contributor:
     runs-on: ubuntu-latest