From 1082ccd3cc82317da5d546dc0063d1478382180d Mon Sep 17 00:00:00 2001
From: Alex <aleksandrosansan@gmail.com>
Date: Mon, 26 Sep 2022 18:54:27 +0200
Subject: [PATCH] GitHub Workflows security hardening (#8267)

Signed-off-by: Alex <aleksandrosansan@gmail.com>
---
 .github/workflows/jvm_tests.yml     | 3 +++
 .github/workflows/main.yml          | 3 +++
 .github/workflows/python_tests.yml  | 3 +++
 .github/workflows/python_wheels.yml | 3 +++
 .github/workflows/r_nold.yml        | 3 +++
 .github/workflows/r_tests.yml       | 3 +++
 6 files changed, 18 insertions(+)

diff --git a/.github/workflows/jvm_tests.yml b/.github/workflows/jvm_tests.yml
index bfa5bc297..9cc85ceab 100644
--- a/.github/workflows/jvm_tests.yml
+++ b/.github/workflows/jvm_tests.yml
@@ -2,6 +2,9 @@ name: XGBoost-JVM-Tests
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test-with-jvm:
     name: Test JVM on OS ${{ matrix.os }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index d2ecb1df4..d7f1bdcf9 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -6,6 +6,9 @@ name: XGBoost-CI
 # events but only for the master branch
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   gtest-cpu:
diff --git a/.github/workflows/python_tests.yml b/.github/workflows/python_tests.yml
index afa70a826..4fd711669 100644
--- a/.github/workflows/python_tests.yml
+++ b/.github/workflows/python_tests.yml
@@ -2,6 +2,9 @@ name: XGBoost-Python-Tests
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   python-mypy-lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/python_wheels.yml b/.github/workflows/python_wheels.yml
index c225a9141..3f5883daa 100644
--- a/.github/workflows/python_wheels.yml
+++ b/.github/workflows/python_wheels.yml
@@ -2,6 +2,9 @@ name: XGBoost-Python-Wheels
 
 on: [push, pull_request]
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   python-wheels:
     name: Build wheel for ${{ matrix.platform_id }}
diff --git a/.github/workflows/r_nold.yml b/.github/workflows/r_nold.yml
index 554b93571..e5026cbf6 100644
--- a/.github/workflows/r_nold.yml
+++ b/.github/workflows/r_nold.yml
@@ -10,6 +10,9 @@ on:
 env:
   R_PACKAGES: c('XML', 'igraph', 'data.table', 'ggplot2', 'DiagrammeR', 'Ckmeans.1d.dp', 'vcd', 'testthat', 'lintr', 'knitr', 'rmarkdown', 'e1071', 'cplm', 'devtools', 'float', 'titanic')
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   test-R-noLD:
     if: github.event.comment.body == '/gha run r-nold-test' && contains('OWNER,MEMBER,COLLABORATOR', github.event.comment.author_association)
diff --git a/.github/workflows/r_tests.yml b/.github/workflows/r_tests.yml
index d49d5b936..39fb67d39 100644
--- a/.github/workflows/r_tests.yml
+++ b/.github/workflows/r_tests.yml
@@ -6,6 +6,9 @@ env:
   R_PACKAGES: c('XML', 'data.table', 'ggplot2', 'DiagrammeR', 'Ckmeans.1d.dp', 'vcd', 'testthat', 'lintr', 'knitr', 'rmarkdown', 'e1071', 'cplm', 'devtools', 'float', 'titanic')
   GITHUB_PAT: ${{ secrets.GITHUB_TOKEN }}
 
+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
   lintr:
     runs-on: ${{ matrix.config.os }}