From 7c9408ec4477cf561de426dd66346ee935a2d62e Mon Sep 17 00:00:00 2001
From: Lorenzooone <lollo.lollo.rbiz@gmail.com>
Date: Tue, 5 Jul 2022 15:38:23 +0200
Subject: [PATCH] Harden workflows by defining only strictly needed permissions
 for all of them (#174)

* Define only needed write permissions
---
 .github/workflows/build_master.yml |  7 ++++++-
 .github/workflows/build_pr.yml     |  2 ++
 .github/workflows/test_master.yml  | 23 +++++++++++++++++++----
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build_master.yml b/.github/workflows/build_master.yml
index d5498e9..b95b8bf 100644
--- a/.github/workflows/build_master.yml
+++ b/.github/workflows/build_master.yml
@@ -1,10 +1,13 @@
 name: Build
 on:
-  # Trigger the workflow on push or pull request,
+  # Trigger the workflow on push,
   # but only for the master branch
   push:
     branches:
       - master
+
+permissions: read-all
+
 jobs:
   build:
     name: Patch building
@@ -23,6 +26,8 @@ jobs:
     name: Patch publishing
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: write
     steps:
       - name: Download a single artifact
         uses: actions/download-artifact@v3
diff --git a/.github/workflows/build_pr.yml b/.github/workflows/build_pr.yml
index 26cd492..fa4d2b8 100644
--- a/.github/workflows/build_pr.yml
+++ b/.github/workflows/build_pr.yml
@@ -2,6 +2,8 @@ name: Build PR
 on:
   pull_request:
     branches: master
+    
+permissions: read-all
 
 jobs:
   build:
diff --git a/.github/workflows/test_master.yml b/.github/workflows/test_master.yml
index 8e3407e..9e742b6 100644
--- a/.github/workflows/test_master.yml
+++ b/.github/workflows/test_master.yml
@@ -1,10 +1,13 @@
 name: Test
 on:
-  # Trigger the workflow on push or pull request,
+  # Trigger the workflow on push,
   # but only for the master branch
   push:
     branches:
       - master
+    
+permissions: read-all
+
 jobs:
   test:
     name: Testing
@@ -26,12 +29,24 @@ jobs:
         with:
           name: test-report
           path: out/test.log
-      - name: Create Issue for Test failure
-        if: failure()
+
+  issue_creation:
+    name: Create issue on failure
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    needs: test
+    if: failure()
+    steps:
+      - name: Download a single artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: test-report
+      - name: Create the issue
         uses: peter-evans/create-issue-from-file@v4
         with:
           title: Test failure
-          content-filepath: out/test.log
+          content-filepath: test.log
           labels: |
             report
             automated issue