[StepSecurity] ci: Harden GitHub Actions (#9356)

* [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> * imprement coderabbit recommendations --------- Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: Igor Velkov <325961+iav@users.noreply.github.com>
2026-03-05 04:47:09 -08:00 · 2026-03-05 04:47:09 -08:00 · c27048a57d
commit c27048a57d
parent ea547d6e0a
11 changed files with 37 additions and 3 deletions
--- a/.github/workflows/data-sync-board-list.yml
+++ b/.github/workflows/data-sync-board-list.yml
@ -7,6 +7,9 @@ on:
      - "config/boards/*.*"
    branches: [main]

+permissions:
+  contents: read
+
 jobs:
  update-board-list-dispatch:
    name: Send dispatch
--- a/.github/workflows/data-sync-labels.yml
+++ b/.github/workflows/data-sync-labels.yml
@ -12,6 +12,9 @@ on:
    paths:
      - ".github/labels.yml"

+permissions:
+  contents: read
+
 jobs:
  labeler:
    permissions:
--- a/.github/workflows/infrastructure-dispatch-to-fork.yml
+++ b/.github/workflows/infrastructure-dispatch-to-fork.yml
@ -8,6 +8,9 @@ on:
  pull_request:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  dispatch-on-forked-repo:
    name: 📢 Run repository dispatch on fork
--- a/.github/workflows/maintenance-announce-merge.yml
+++ b/.github/workflows/maintenance-announce-merge.yml
@ -4,6 +4,9 @@ on:
  push:
    branches: [ main ]

+permissions:
+  contents: read
+
 jobs:
  announcepush:
    # Do not run this workflow in forks
--- a/.github/workflows/maintenance-announce-pr.yml
+++ b/.github/workflows/maintenance-announce-pr.yml
@ -5,11 +5,14 @@ on:
  pull_request:
    types: [ labeled ]

+permissions:
+  contents: read
+
 jobs:
  Announce:
    permissions:
      pull-requests: read
-
+      contents: read
    runs-on: ubuntu-latest
    if: ${{ github.repository == 'armbian/build' && github.event.label.id == '6210849975' }}
    steps:
--- a/.github/workflows/maintenance-check-board-assets.yml
+++ b/.github/workflows/maintenance-check-board-assets.yml
@ -13,6 +13,9 @@ env:
  BOARD_IMAGES_DIR: "board-images"
  VENDOR_LOGOS_DIR: "board-vendor-logos"

+permissions:
+  contents: read
+
 jobs:
  Check:
    name: "Verify assets for newly added boards"
--- a/.github/workflows/maintenance-clean-workflow-logs.yml
+++ b/.github/workflows/maintenance-clean-workflow-logs.yml
@ -15,6 +15,9 @@ env:
  SCHEDULED_RUNS_OLDER_THAN: "10"
  SCHEDULED_RUNS_TO_KEEP: "0"

+permissions:
+  contents: read
+
 jobs:
  clean-logs:
    runs-on: ubuntu-latest
--- a/.github/workflows/maintenance-label-on-approval.yml
+++ b/.github/workflows/maintenance-label-on-approval.yml
@ -4,11 +4,15 @@ on:
    workflows: ["Maintenance: Listen PR review"]
    types: [completed]

+permissions:
+  contents: read
+
 jobs:
  label:
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    runs-on: ubuntu-latest
    permissions:
+      actions: read
      contents: read
      issues: write
      pull-requests: write
--- a/.github/workflows/maintenance-listen-review.yml
+++ b/.github/workflows/maintenance-listen-review.yml
@ -3,6 +3,9 @@ on:
  pull_request_review:
    types: [submitted]

+permissions:
+  contents: read
+
 jobs:
  ping:
    if: ${{ github.event.review.state == 'approved' }}
--- a/.github/workflows/maintenance-welcome-issue.yml
+++ b/.github/workflows/maintenance-welcome-issue.yml
@ -4,6 +4,9 @@ on:
  issues:
    types: opened

+permissions:
+  contents: read
+
 jobs:
  welcome-first-time-contributor:
    runs-on: ubuntu-latest
--- a/.github/workflows/maintenance-welcome-pr.yml
+++ b/.github/workflows/maintenance-welcome-pr.yml
@ -4,6 +4,9 @@ on:
  pull_request_target:
    types: opened

+permissions:
+  contents: read
+
 jobs:
  welcome-first-time-contributor:
    runs-on: ubuntu-latest