Fix security issues on actions (#20416)

mockersf · web-flow · commit f71f6e1a0264 · 2025-08-05T18:59:48.000Z
# Objective - CodeQL is reporting some issues on actions <img width="930" height="379" alt="Screenshot 2025-08-04 at 19 25 24" src="https://github.com/user-attachments/assets/7de5efe1-4962-4d15-9031-13ce3e1ac202" /> ## Solution - Fix them - Follow https://securitylab.github.com/resources/github-actions-untrusted-input/ for the code injection - Set default permissions to every workflow that doesn't specify some ## Testing - Not entirely sure permissions specified are enough, but I guess CI will fail if they aren't
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,5 +1,8 @@
 name: CI
 
+permissions:
+  contents: read
+
 on:
   merge_group:
   pull_request:
diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml
@@ -1,14 +1,17 @@
 name: Dependencies
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     paths:
-      - '**/Cargo.toml'
-      - 'deny.toml'
+      - "**/Cargo.toml"
+      - "deny.toml"
   push:
     paths:
-      - '**/Cargo.toml'
-      - 'deny.toml'
+      - "**/Cargo.toml"
+      - "deny.toml"
     branches:
       - main
 
diff --git a/.github/workflows/example-run-report.yml b/.github/workflows/example-run-report.yml
@@ -59,8 +59,10 @@ jobs:
           path: screenshots
       - name: branch name
         id: branch-name
+        env:
+          BRANCH_NAME: ${{ github.event.workflow_run.head_branch }}
         run: |
-          echo "result=PR-$(cat PR)-${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT
+          echo "result=PR-$(cat PR)-$BRANCH_NAME" >> $GITHUB_OUTPUT
       - name: PR number
         id: pr-number
         run: |
diff --git a/.github/workflows/example-run.yml b/.github/workflows/example-run.yml
@@ -1,5 +1,8 @@
 name: Example Run
 
+permissions:
+  contents: read
+
 on:
   merge_group:
   pull_request:
diff --git a/.github/workflows/send-screenshots-to-pixeleagle.yml b/.github/workflows/send-screenshots-to-pixeleagle.yml
@@ -1,5 +1,8 @@
 name: Send Screenshots to Pixel Eagle
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -45,9 +48,10 @@ jobs:
         if: ${{ fromJSON(env.PIXELEAGLE_TOKEN_EXISTS) }}
         env:
           project: B04F67C0-C054-4A6F-92EC-F599FEC2FD1D
+          branch: ${{ inputs.branch }}
         run: |
           # Create a new run with its associated metadata
-          metadata='{"os":"${{ inputs.os }}", "commit": "${{ inputs.commit }}", "branch": "${{ inputs.branch }}"}'
+          metadata='{"os":"${{ inputs.os }}", "commit": "${{ inputs.commit }}", "branch": "$branch"}'
           run=`curl https://pixel-eagle.com/$project/runs --json "$metadata" --oauth2-bearer ${{ secrets.PIXELEAGLE_TOKEN }} | jq '.id'`
 
           SAVEIFS=$IFS
diff --git a/.github/workflows/update-caches.yml b/.github/workflows/update-caches.yml
@@ -1,5 +1,8 @@
 name: Update Actions Caches
 
+permissions:
+  contents: read
+
 on:
   # Manually
   workflow_dispatch:
diff --git a/.github/workflows/validation-jobs.yml b/.github/workflows/validation-jobs.yml
@@ -1,5 +1,8 @@
 name: validation jobs
 
+permissions:
+  contents: read
+
 on:
   merge_group:
   pull_request:
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
@@ -1,10 +1,13 @@
 name: Weekly beta compile test
 
+permissions:
+  contents: read
+
 on:
   schedule:
     # New versions of rust release on Thursdays. We test on Mondays to get at least 3 days of warning before all our CI breaks again.
     # https://forge.rust-lang.org/release/process.html#release-day-thursday
-    - cron:  '0 12 * * 1'
+    - cron: "0 12 * * 1"
   workflow_dispatch:
 
 env:
@@ -85,7 +88,7 @@ jobs:
 
   close-any-open-issues:
     runs-on: ubuntu-latest
-    needs: ['test', 'lint', 'check-compiles']
+    needs: ["test", "lint", "check-compiles"]
     permissions:
       issues: write
     steps:
@@ -106,14 +109,13 @@ jobs:
           COMMENT: |
             [Last pipeline run](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) successfully completed. Closing issue.
 
-
   open-issue:
     name: Warn that weekly CI fails
     runs-on: ubuntu-latest
     needs: [test, lint, check-compiles]
     permissions:
       issues: write
-    # We disable this job on forks, because 
+    # We disable this job on forks, because
     # Use always() so the job doesn't get canceled if any other jobs fail
     if: ${{ github.repository == 'bevyengine/bevy' && always() && contains(needs.*.result, 'failure') }}
     steps:
