ci: Add GitHub token permissions for workflows

[varunsh-coder]

This PR adds minimum token permissions for the GITHUB_TOKEN using https://github.com/step-security/secure-workflows.

GitHub recommends defining minimum GITHUB_TOKEN permissions for securing GitHub Actions workflows

• https://github.blog/changelog/2021-04-20-github-actions-control-permissions-for-github_token/
• https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
• The Open Source Security Foundation (OpenSSF) Scorecards treats not setting token permissions as a high-risk issue

This project is part of the top 100 critical projects as per OpenSSF (https://github.com/ossf/wg-securing-critical-projects), so fixing the token permissions to improve security.

Signed-off-by: Varun Sharma [email protected]

• Have you followed the guidelines for contributing?
• Have you ensured that your commits follow the commit style guide?
• Have you checked that there aren't other open pull requests for the same formula update/change?
• Have you built your formula locally with brew install --build-from-source <formula>, where <formula> is the name of the formula you're submitting?
• Is your test running fine brew test <formula>, where <formula> is the name of the formula you're submitting?
• Does your build pass brew audit --strict <formula> (after doing brew install --build-from-source <formula>)? If this is a new formula, does it pass brew audit --new <formula>?

---

[varunsh-coder]

I could not set the right permissions for dispatch-rebottle.yml because of this line, so did not fix it:

Not sure how the GITHUB_TOKEN is being used there...

homebrew-core/.github/workflows/dispatch-rebottle.yml

Line 87 in 93f2216

HOMEBREW_GITHUB_API_TOKEN: ${{secrets.GITHUB_TOKEN}}

[Bo98]

Not sure how the GITHUB_TOKEN is being used there...

brew audit and brew livecheck may do some checks on other Git repos (e.g. latest release check), so metadata-only permissions should be sufficient there. This isn't dispatch-rebottle specific. The same applies to dispatch-build-bottle and tests.

[SMillerDev]

Do any of these actually use the GITHUB_TOKEN? AFAIK it times out too quickly.

[Bo98]

Do any of these actually use the GITHUB_TOKEN? AFAIK it times out too quickly.

Sounds like a good reason to limit the permissions of it to no-permissions rather than the default of write-all (read-all for PRs).

Though to answer your question: it is used in the scenarios I mentioned above, because it has a significantly higher rate limit than no token.

[SMillerDev]

The organization default is now the same as set in this PR.

[varunsh-coder]

The organization default is now the same as set in this PR.

I believe this means that if any of the workflows in the organization are using the GITHUB_TOKEN with higher than contents: read, and the permissions have not been specified explicitly in the workflow/ job, the workflow will not work as expected.

If that happens, you can add explicit workflow/ job level permissions for that workflow. You can use https://github.com/step-security/secure-workflows to add explicit permissions.