<p dir="auto">This PR adds explicit <a href="https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions">permissions section</a> to workflows. This is a security best practice because by default workflows run with <a href="https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token">extended set of permissions</a> (except from <code class="notranslate">on: pull_request</code> <a href="https://securitylab.github.com/research/github-actions-preventing-pwn-requests/">from external forks</a>). By specifying any permission explicitly all others are set to none. By using the principle of least privilege the damage a compromised workflow can do (because of an <a href="https://securitylab.github.com/research/github-actions-untrusted-input/">injection</a> or compromised third party tool or action) is restricted.<br>
It is recommended to have <a href="https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions">most strict permissions on the top level</a> and grant write permissions on <a href="https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs">job level</a> case by case.</p>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>
<p>  <a href='https://github.com/kamailio/kamailio/pull/3248'>https://github.com/kamailio/kamailio/pull/3248</a></p>

<h4>Commit Summary</h4>
<ul>
  <li><a href="https://github.com/kamailio/kamailio/pull/3248/commits/112d412fcd6ca4cecba3fb5ecb864e767e24abdd" class="commit-link">112d412</a>  build: harden main.yml permissions</li>
  <li><a href="https://github.com/kamailio/kamailio/pull/3248/commits/eb2c9e868e2f5a53367b24130e7bc5389731decd" class="commit-link">eb2c9e8</a>  build: harden pull_request.yml permissions</li>
</ul>

<h4 style="display: inline-block">File Changes </h4> <p style="display: inline-block">(<a href="https://github.com/kamailio/kamailio/pull/3248/files">2 files</a>)</p>
<ul>
  <li>
    <strong>M</strong>
    <a href="https://github.com/kamailio/kamailio/pull/3248/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3">.github/workflows/main.yml</a>
    (2)
  </li>
  <li>
    <strong>M</strong>
    <a href="https://github.com/kamailio/kamailio/pull/3248/files#diff-a0fe23534b616d51ce686d2a1bcd1a78bc75074aef1a2f6ee96c9469991e1a4c">.github/workflows/pull_request.yml</a>
    (2)
  </li>
</ul>

<h4>Patch Links:</h4>
<ul>
  <li><a href='https://github.com/kamailio/kamailio/pull/3248.patch'>https://github.com/kamailio/kamailio/pull/3248.patch</a></li>
  <li><a href='https://github.com/kamailio/kamailio/pull/3248.diff'>https://github.com/kamailio/kamailio/pull/3248.diff</a></li>
</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />Reply to this email directly, <a href="https://github.com/kamailio/kamailio/pull/3248">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABO7UZIU4CIN2RDKGGIZGQ3V7HH6PANCNFSM6AAAAAAQRFWY7A">unsubscribe</a>.<br />You are receiving this because you are subscribed to this thread.<img src="https://github.com/notifications/beacon/ABO7UZNYUREJHPHV62J5P7DV7HH6PA5CNFSM6AAAAAAQRFWY7CWGG33NNVSW45C7OR4XAZNFJFZXG5LFVJRW63LNMVXHIX3JMTHFEOWVGI.gif" height="1" width="1" alt="" /><span style="color: transparent; font-size: 0; display: none; visibility: hidden; overflow: hidden; opacity: 0; width: 0; height: 0; max-width: 0; max-height: 0; mso-hide: all">Message ID: <span><kamailio/kamailio/pull/3248</span><span>@</span><span>github</span><span>.</span><span>com></span></span></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/kamailio/kamailio/pull/3248",
"url": "https://github.com/kamailio/kamailio/pull/3248",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>