From 9b703bfb36e5ae321c47c6136e825bab43395ef0 Mon Sep 17 00:00:00 2001
From: Jacob Alzen <jacob.alzen@gmail.com>
Date: Sun, 31 Oct 2021 15:17:18 +0100
Subject: [PATCH] Harden the ci infrastructure for better security

Following some of the advice given in https://github.com/briansmith/untrusted/issues/50.
---
 .github/workflows/mobile_tests.yml    | 4 ++++
 .github/workflows/platform_tests.yml  | 4 ++++
 .github/workflows/static_analysis.yml | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/.github/workflows/mobile_tests.yml b/.github/workflows/mobile_tests.yml
index 017547d8c0..356d826308 100644
--- a/.github/workflows/mobile_tests.yml
+++ b/.github/workflows/mobile_tests.yml
@@ -1,5 +1,7 @@
 name: Mobile Tests
 on: [push, pull_request]
+permissions:
+  contents: read
 
 jobs:
   mobile_tests:
@@ -11,6 +13,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - uses: WillAbides/setup-go-faster@v1.6.0
       with:
         go-version: ${{ matrix.go-version }}
diff --git a/.github/workflows/platform_tests.yml b/.github/workflows/platform_tests.yml
index a25fb1cf75..09a004e53e 100644
--- a/.github/workflows/platform_tests.yml
+++ b/.github/workflows/platform_tests.yml
@@ -1,5 +1,7 @@
 name: Platform Tests
 on: [push, pull_request]
+permissions:
+  contents: read
 
 jobs:
   platform_tests:
@@ -12,6 +14,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - uses: WillAbides/setup-go-faster@v1.5.0
       id: setup-go-faster
       with:
diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml
index 01df547b85..703bd8ae70 100644
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -1,11 +1,15 @@
 name: Static Analysis
 on: [push, pull_request]
+permissions:
+  contents: read
 
 jobs:
   checks:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - uses: WillAbides/setup-go-faster@v1.6.0
       with:
         go-version: '1.17.x'