Improving OSSF Scorecard score - Part 1 (#32)

fproulx-boostsecurity · web-flow · commit efc87492285d · 2024-04-17T15:09:31.000-04:00
* Improving OSSF Scorecard score - Part 1 As of this writing, https://securityscorecards.dev/viewer/?uri=github.com%2Fboostsecurityio%2Fpoutine: ``` Reason detected GitHub workflow tokens with excessive permissions Details Warn: topLevel 'security-events' permission set to 'write': .github/workflows/pop.yml:17 Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:15 Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yml:16 ``` Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> * Update release.yml Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> * Update build_test.yml Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> * Update codeql.yml Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> * Update dependency-review.yml Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> * Update build_test.yml Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> * Update build_test.yml Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> --------- Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com>
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -17,6 +17,11 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: ["main"]
+    paths-ignore:
+      - 'README.md'
+      - 'LICENSE'
+      - 'docs/**'
+      - '.github/**'
   schedule:
     - cron: "0 0 * * 1"
 
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -7,7 +7,12 @@
 #
 # Source repository: https://github.com/actions/dependency-review-action
 name: 'Dependency Review'
-on: [pull_request]
+on:
+  pull_request:
+    paths-ignore:
+      - 'README.md'
+      - 'LICENSE'
+      - 'docs/**'
 
 permissions:
   contents: read
diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml
@@ -13,13 +13,14 @@ on:
       - .github/workflows/**
       - action.yml
 
-permissions:
-  security-events: write
-  contents: read
+permissions: {}
 
 jobs:
   pop:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
     steps:
     - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
       with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,15 +11,16 @@ env:
   GO_VERSION: 1.22
   GO_RELEASER_VERSION: v1.25.1
   
-permissions:
-  contents: write
-  packages: write
-  id-token: write
+permissions: {}
 
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
     environment: homebrew-tap
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     steps:
     - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
       with:
