Set read-only workflow permissions

[pnacht]

Description

procfs' golangci-lint.yml workflow currently runs with write-all permissions. This is dangerous, since it opens the project up to supply-chain attacks. GitHub itself recommends ensuring workflows run with minimal permissions.

I've taken a look at the workflow and it doesn't seem to need anything other than read permissions to the repository.

This issue can be solved in two ways:

• add top-level read-only permissions to the workflow; and/or
• set the default token permissions to read-only in the repo settings.

I'll be sending a PR along with this issue that sets the top-level permissions. If you instead (or also) wish to modify the default token permissions:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

---

Disclosure: My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

[SuperQ]

We use this CI yaml in a number of Prometheus projects. We would need to copy this into a number of repos.

[pnacht]

Understood. In that case, you can also change the default token settings. This can either be done per-repo (following the instructions above) or for the entire org.

To change the org's default, the flow is identical to the one above, but starting from the org settings (requires org admin rights). However, I'd suggest going through each repository's workflows to ensure none require any of the write permissions they currently implicitly enjoy.

[SuperQ]

Moving this to our main repo to discuss.

[roidelapluie]

SGTM