Limit privilege escalation and token theft in workflows

DimitriPapadopoulos · DimitriPapadopoulos · commit 6848f16ca9c6 · 2026-03-04T09:29:28.000+01:00
https://lists.openssf-vuln.org/g/siren/message/6 - Added explicit permissions blocks to restrict access (mostly contents: read, id-token: write). - Limited event triggers to only trusted branches - Added workflow_dispatch where missing.
diff --git a/.github/workflows/check_changelogs.yml b/.github/workflows/check_changelogs.yml
@@ -2,11 +2,14 @@ name: Check changelog entries
 
 on:
   pull_request:
+  workflow_dispatch:
 
 jobs:
   check-changelogs:
     name: Check changelog entries
     runs-on: ubuntu-latest
+permissions:
+  contents: read
 
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
diff --git a/.github/workflows/codspeed.yml b/.github/workflows/codspeed.yml
@@ -12,6 +12,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   benchmarks:
diff --git a/.github/workflows/gpu_test.yml b/.github/workflows/gpu_test.yml
@@ -13,6 +13,9 @@ on:
 env:
   LD_LIBRARY_PATH: /usr/local/cuda/extras/CUPTI/lib64:/usr/local/cuda/lib64
 
+permissions:
+  contents: read
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/hypothesis.yaml b/.github/workflows/hypothesis.yaml
@@ -9,6 +9,9 @@ on:
     - cron: "0 0 * * *" # Daily “At 00:00” UTC
   workflow_dispatch: # allows you to trigger manually
 
+permissions:
+  contents: read
+  id-token: write
 env:
   FORCE_COLOR: 3
 
diff --git a/.github/workflows/issue-metrics.yml b/.github/workflows/issue-metrics.yml
@@ -6,6 +6,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   build:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -7,6 +7,8 @@ on:
     branches: [main, 3.1.x]
   workflow_dispatch:
 
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
diff --git a/.github/workflows/nightly_wheels.yml b/.github/workflows/nightly_wheels.yml
@@ -10,6 +10,9 @@ jobs:
   build_and_upload_nightly:
     name: Build and upload nightly wheels
     runs-on: ubuntu-latest
+permissions:
+  contents: read
+  id-token: write
 
     steps:
       - uses: actions/checkout@v6
diff --git a/.github/workflows/releases.yml b/.github/workflows/releases.yml
@@ -1,7 +1,15 @@
 name: Wheels
 
-on: [push, pull_request]
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
 jobs:
 
   build_artifacts:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,6 +10,9 @@ on:
     branches: [ main, 3.1.x ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
