Add token permissions for CIs to fix issues reported by scorecard (#3867)

.github/workflows/build_docker_images.yml

@@ -15,9 +15,14 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push-images:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write # for uploading release artifacts
 
     steps:
       - name: Checkout repository

.github/workflows/build_iwasm_release.yml

@@ -87,6 +87,9 @@ env:
      -DWAMR_BUILD_EXCE_HANDLING=1 \
      -DWAMR_BUILD_GC=1"
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}
@@ -97,6 +100,9 @@ jobs:
             suffix: ''
           - build_options: $GC_EH_BUILD_OPTIONS
             suffix: '-gc-eh'
+    permissions:
+      contents: write # for uploading release artifacts
+
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/build_llvm_libraries.yml

@@ -27,6 +27,9 @@ on:
         description: "A cached key of LLVM libraries"
         value: ${{ jobs.build_llvm_libraries.outputs.key}}
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries:
     runs-on: ${{ inputs.os }}
@@ -36,6 +39,9 @@ jobs:
       image: ${{ inputs.container_image }}
     outputs:
       key: ${{ steps.create_lib_cache_key.outputs.key}}
+    permissions:
+      contents: read
+      actions: write # for uploading cached artifact
 
     steps:
       - name: checkout

.github/workflows/build_wamr_lldb.yml

@@ -28,8 +28,13 @@ on:
         required: false
         default: "https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-20/wasi-sdk-20.0-linux.tar.gz"
 
+permissions:
+  contents: read
+
 jobs:
   try_reuse:
+    permissions:
+      contents: write # for uploading release artifacts
     uses: ./.github/workflows/reuse_latest_release_binaries.yml
     with:
       binary_name_stem: "wamr-lldb-${{ inputs.ver_num }}-${{ inputs.arch }}-${{ inputs.runner }}"
@@ -46,6 +51,9 @@ jobs:
       PYTHON_VERSION: '3.10'
       PYTHON_UBUNTU_STANDALONE_BUILD: https://github.com/indygreg/python-build-standalone/releases/download/20230507/cpython-3.10.11+20230507-x86_64-unknown-linux-gnu-install_only.tar.gz
       PYTHON_MACOS_STANDALONE_BUILD: https://github.com/indygreg/python-build-standalone/releases/download/20230507/cpython-3.10.11+20230507-x86_64-apple-darwin-install_only.tar.gz
+    permissions:
+      contents: write # for uploading release artifacts
+
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/build_wamr_sdk.yml

@@ -35,9 +35,15 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: write # for uploading release artifacts
+
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/build_wamr_vscode_ext.yml

@@ -14,9 +14,15 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write # for uploading release artifacts
+
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/build_wamrc.yml

@@ -31,9 +31,15 @@ on:
         type: string
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}
+    permissions:
+      contents: write # for uploading release artifacts
+
     steps:
       - uses: actions/checkout@v4
 

.github/workflows/codeql.yml

@@ -19,6 +19,9 @@ on:
   # allow to be triggered manually
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     if: github.repository == 'bytecodealliance/wasm-micro-runtime'
@@ -30,10 +33,6 @@ jobs:
     # Consider using larger runners for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     strategy:
       fail-fast: false
@@ -41,6 +40,11 @@ jobs:
         language: [ 'cpp' ]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
 
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+
     steps:
     - name: Checkout repository
       uses: actions/checkout@v3

.github/workflows/coding_guidelines.yml

@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   compliance_job:
     runs-on: ubuntu-20.04

.github/workflows/compilation_on_android_ubuntu.yml

@@ -70,8 +70,14 @@ env:
   MEMORY64_TEST_OPTIONS: "-s spec -W -b -P"
   MULTI_MEMORY_TEST_OPTIONS: "-s spec -E -b -P"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries_on_ubuntu_2204:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "ubuntu-22.04"

.github/workflows/compilation_on_macos.yml

@@ -52,13 +52,22 @@ env:
   LLVM_LAZY_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=1"
   LLVM_EAGER_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries_on_intel_macos:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "macos-13"
       arch: "X86"
   build_llvm_libraries_on_arm_macos:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "macos-14"

.github/workflows/compilation_on_nuttx.yml

@@ -46,6 +46,9 @@ concurrency:
 env:
   WASI_SDK_PATH: "/opt/wasi-sdk"
 
+permissions:
+  contents: read
+
 jobs:
   build_iwasm_on_nuttx:
     runs-on: ubuntu-latest

.github/workflows/compilation_on_sgx.yml

@@ -54,8 +54,14 @@ env:
   LLVM_LAZY_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=1"
   LLVM_EAGER_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "ubuntu-20.04"

.github/workflows/compilation_on_windows.yml

@@ -53,6 +53,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: windows-latest

.github/workflows/create_tag.yml

@@ -15,6 +15,9 @@ on:
         description: "the new tag just created"
         value: ${{ jobs.create_tag.outputs.new_tag}}
 
+permissions:
+  contents: read
+
 jobs:
   create_tag:
     runs-on: ubuntu-latest
@@ -22,6 +25,8 @@ jobs:
       minor_version: ${{ steps.preparation.outputs.minor_version }}
       new_ver: ${{ steps.preparation.outputs.new_ver }}
       new_tag: ${{ steps.preparation.outputs.new_tag }}
+    permissions:
+      contents: write # create and push tags
 
     steps:
       - uses: actions/checkout@v4

.github/workflows/hadolint_dockerfiles.yml

@@ -28,6 +28,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   run-hadolint-on-dockerfiles:
     runs-on: ubuntu-22.04

.github/workflows/nightly_run.yml

@@ -44,13 +44,22 @@ env:
   X86_32_TARGET_TEST_OPTIONS: "-m x86_32 -P"
   WASI_TEST_OPTIONS: "-s wasi_certification -w"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries_on_ubuntu_2004:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "ubuntu-20.04"
       arch: "X86"
   build_llvm_libraries_on_ubuntu_2204:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "ubuntu-22.04"

.github/workflows/release_process.yml

@@ -18,11 +18,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   create_tag:
+    permissions:
+      contents: write # create and push tags
     uses: ./.github/workflows/create_tag.yml
 
   create_release:
+    permissions:
+      contents: write # create release
     needs: [create_tag]
     runs-on: ubuntu-latest
     outputs:
@@ -52,6 +59,9 @@ jobs:
   #
   # LLVM_LIBRARIES
   build_llvm_libraries_on_ubuntu_2004:
+    permissions:
+      contents: read
+      actions: write
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
@@ -59,6 +69,9 @@ jobs:
       arch: "AArch64 ARM Mips RISCV X86"
 
   build_llvm_libraries_on_ubuntu_2204:
+    permissions:
+      contents: read
+      actions: write
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
@@ -66,6 +79,9 @@ jobs:
       arch: "AArch64 ARM Mips RISCV X86"
 
   build_llvm_libraries_on_macos:
+    permissions:
+      contents: read
+      actions: write
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
@@ -73,6 +89,9 @@ jobs:
       arch: "AArch64 ARM Mips RISCV X86"
 
   build_llvm_libraries_on_windows:
+    permissions:
+      contents: read
+      actions: write
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
@@ -82,6 +101,8 @@ jobs:
   #
   # WAMRC
   release_wamrc_on_ubuntu_2004:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2004]
     uses: ./.github/workflows/build_wamrc.yml
     with:
@@ -92,6 +113,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver}}
 
   release_wamrc_on_ubuntu_2204:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2204 ]
     uses: ./.github/workflows/build_wamrc.yml
     with:
@@ -102,6 +125,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver }}
 
   release_wamrc_on_ubuntu_macos:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_macos]
     uses: ./.github/workflows/build_wamrc.yml
     with:
@@ -112,6 +137,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver }}
   
   release_wamrc_on_windows:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_windows]
     uses: ./.github/workflows/build_wamrc.yml
     with:
@@ -124,6 +151,8 @@ jobs:
   #
   # IWASM
   release_iwasm_on_ubuntu_2004:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2004]
     uses: ./.github/workflows/build_iwasm_release.yml
     with:
@@ -134,6 +163,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver}}
 
   release_iwasm_on_ubuntu_2204:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2204]
     uses: ./.github/workflows/build_iwasm_release.yml
     with:
@@ -144,6 +175,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver}}
 
   release_iwasm_on_macos:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_macos]
     uses: ./.github/workflows/build_iwasm_release.yml
     with:
@@ -154,6 +187,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver}}
 
   release_iwasm_on_windows:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release, build_llvm_libraries_on_windows]
     uses: ./.github/workflows/build_iwasm_release.yml
     with:
@@ -166,6 +201,8 @@ jobs:
   #
   # WAMR_SDK
   release_wamr_sdk_on_ubuntu_2004:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_wamr_sdk.yml
     with:
@@ -177,6 +214,8 @@ jobs:
       wamr_app_framework_url: https://github.com/bytecodealliance/wamr-app-framework.git
 
   release_wamr_sdk_on_ubuntu_2204:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_wamr_sdk.yml
     with:
@@ -188,6 +227,8 @@ jobs:
       wamr_app_framework_url: https://github.com/bytecodealliance/wamr-app-framework.git
 
   release_wamr_sdk_on_macos:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_wamr_sdk.yml
     with:
@@ -201,6 +242,8 @@ jobs:
   #
   # vscode extension cross-platform
   release_wamr_ide_vscode_ext:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_wamr_vscode_ext.yml
     secrets: inherit
@@ -211,6 +254,8 @@ jobs:
   #
   # vscode extension docker images package
   release_wamr_ide_docker_images_package:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_docker_images.yml
     with:
@@ -220,6 +265,8 @@ jobs:
   #
   # WAMR_LLDB
   release_wamr_lldb_on_ubuntu_2004:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_wamr_lldb.yml
     with:
@@ -228,6 +275,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver}}
 
   release_wamr_lldb_on_ubuntu_2204:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_wamr_lldb.yml
     with:
@@ -236,6 +285,8 @@ jobs:
       ver_num: ${{ needs.create_tag.outputs.new_ver}}
 
   release_wamr_lldb_on_macos_universal:
+    permissions:
+      contents: write # upload release artifact
     needs: [create_tag, create_release]
     uses: ./.github/workflows/build_wamr_lldb.yml
     with:

.github/workflows/reuse_latest_release_binaries.yml

@@ -22,11 +22,17 @@ on:
       result:
         value: ${{ jobs.build.outputs.result }}
 
+permissions:
+  contents: read
+
 jobs:
   reuse:
     runs-on: ubuntu-latest
     outputs:
       result: ${{ steps.try_reuse.outputs.result }}
+    permissions:
+      contents: write # for creating realease and uploading release artifacts
+
     steps:
       - uses: actions/checkout@v4
         # Full git history is needed to get a proper list of commits and tags

.github/workflows/spec_test_on_nuttx.yml

@@ -29,8 +29,14 @@ env:
   LLVM_CACHE_SUFFIX: "build-llvm_libraries_ex"
   WASI_SDK_PATH: "/opt/wasi-sdk"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "ubuntu-22.04"
@@ -38,6 +44,9 @@ jobs:
       container_image: ghcr.io/no1wudi/nuttx/apache-nuttx-ci-linux@sha256:8c4e00b607d4d6d66ba8f51c4544819a616eac69d3a2ac669e2af2150e2eb0f9
 
   build_llvm_libraries_xtensa:
+    permissions:
+      contents: read
+      actions: write
     uses: ./.github/workflows/build_llvm_libraries.yml
     with:
       os: "ubuntu-22.04"