Restrict workflow permissions

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 3f3e7d8bb995e27a7a4400e0cfd4063459f0a4de..c02b0623ff2da874f8ac61dcc84bceba84bc929d 100644 (file)
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
   pull_request:
   workflow_call:
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   build:
 

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index 25bcc2653a1d55afca8d71776ec9f8b6ec08dcb2..60c4ef990e0c68e6c2477cf6c5eb15aee2b10676 100644 (file)
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -9,6 +9,10 @@ on:
   schedule:
     - cron: '0 7 * * 4'
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+  security-events: write
+
 jobs:
   analyse:
     name: Analyse

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 117f26adee2b7fb57ebeb343c5c6287f10ca3605..84f629b290bf6eefc58f1a868171d58545f87625 100644 (file)
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
     tags:
       - v*
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 env:
   IMAGE_NAME: signal-cli
   IMAGE_REGISTRY: ghcr.io/asamk
@@ -20,6 +23,8 @@ jobs:
   lib_to_jar:
     needs: ci_wf
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
 
     outputs:
       signal_cli_version: ${{ steps.cli_ver.outputs.version }}
@@ -141,66 +146,12 @@ jobs:
           asset_name: signal-cli-${{ steps.cli_ver.outputs.version }}-macOS.tar.gz
           asset_content_type: application/x-compressed-tar  # .tar.gz
 
-
-  run_repackaged:
-
-    needs:
-      - lib_to_jar
-
-    strategy:
-      matrix:
-        runner:
-          - windows-latest
-          - macos-latest
-
-    runs-on: ${{ matrix.runner }}
-
-    defaults:
-      run:
-        shell: bash   # Explicit for windows
-
-    env:
-      JAVA_VERSION: 19
-
-    steps:
-
-      - name: Download the release file
-        env:
-          SIGNAL_CLI_VER: ${{ needs.lib_to_jar.outputs.signal_cli_version }}
-          RELEASE_ID: ${{ needs.lib_to_jar.outputs.release_id }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          file_name=signal-cli-${SIGNAL_CLI_VER}-${RUNNER_OS}.tar.gz
-          echo "$file_name"
-          assets_json=$(curl -s \
-            -H "Authorization: Bearer $GITHUB_TOKEN" \
-            "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases/${RELEASE_ID}/assets")
-          asset_dl_url=$(echo "$assets_json" | jq -r ".[] | select (.name == \"$file_name\") | .url")
-          echo "$asset_dl_url"
-          curl -sLOJ \
-            -H 'Accept: application/octet-stream' \
-            -H "Authorization: Bearer $GITHUB_TOKEN" \
-            "$asset_dl_url"
-          tar -xzf "$file_name"
-
-      - name: Set up JDK for running signal-cli executable
-        uses: actions/setup-java@v3
-        with:
-          distribution: 'adopt'
-          java-version: ${{ env.JAVA_VERSION }}
-          java-package: 'jre'
-
-      - name: Run signal-cli
-        run: |
-          cd signal-cli-*/bin
-          if [[ "$RUNNER_OS" == 'Windows' ]]; then
-            EXECUTABLE_SUFFIX=".bat"
-          fi
-          ./signal-cli${EXECUTABLE_SUFFIX} listAccounts
-
   build-container:
     needs: ci_wf
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - uses: actions/checkout@v3
@@ -248,6 +199,9 @@ jobs:
   build-container-native:
     needs: ci_wf
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
 
     steps:
       - uses: actions/checkout@v3