From 3cbb8c9d6e9515ca04611a18a5c665138761f93f Mon Sep 17 00:00:00 2001
From: Joyce <joycebrum@google.com>
Date: Thu, 15 Jun 2023 18:16:44 -0300
Subject: [PATCH] Show minimal permission needed for CIFuzz workflow (#10283)

I'm suggesting this change in the CIFuzz example workflow to indicate
the minimal permission needed for the workflow to run and also to follow
the OpenSSF Scorecard Token Permission Check recommendations.

I've tested with
https://github.com/joycebrum/sigstore/actions/runs/4918728701 and the
action ran with success with no permission granted.

the actions/upload-artifact skipped does not need permission to upload
artifacts as can be seen at
https://github.com/joycebrum/sigstore/actions/runs/4928734763

---------

Signed-off-by: Joyce <joycebrum@google.com>
Signed-off-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
Co-authored-by: jonathanmetzman <31354670+jonathanmetzman@users.noreply.github.com>
---
 docs/getting-started/continuous_integration.md |  8 ++++++++
 infra/cifuzz/example_cifuzz.yml                | 13 ++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/docs/getting-started/continuous_integration.md b/docs/getting-started/continuous_integration.md
index 1a3fb9e3f..93e399008 100644
--- a/docs/getting-started/continuous_integration.md
+++ b/docs/getting-started/continuous_integration.md
@@ -69,9 +69,12 @@ cifuzz.yml for an example project:
 ```yaml
 name: CIFuzz
 on: [pull_request]
+permissions: {}
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
+   permissions:
+     security-events: write
    steps:
    - name: Build Fuzzers
      id: build
@@ -138,9 +141,13 @@ can be used. To use a sanitizer add it to the list of sanitizers in the matrix f
 {% raw %}
 name: CIFuzz
 on: [pull_request]
+permissions: {}
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
+   # Uncomment this to get results in the GitHub security dashboard.
+   permissions:
+     security-events: write
    strategy:
      fail-fast: false
      matrix:
@@ -199,6 +206,7 @@ on:
       - '**.cpp'
       - '**.cxx'
       - '**.h'
+permissions: {}
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
diff --git a/infra/cifuzz/example_cifuzz.yml b/infra/cifuzz/example_cifuzz.yml
index 5f31b381c..67b56813f 100644
--- a/infra/cifuzz/example_cifuzz.yml
+++ b/infra/cifuzz/example_cifuzz.yml
@@ -1,8 +1,11 @@
 name: CIFuzz
 on: [pull_request]
+permissions: {}
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
     - name: Build Fuzzers
       id: build
@@ -19,4 +22,12 @@ jobs:
       if: failure() && steps.build.outcome == 'success'
       with:
         name: artifacts
-        path: ./out/artifacts
+        path: ./out/artifacts   
+   # Uncomment this to get results in the GitHub security dashboard.
+   # - name: Upload Sarif
+   #  if: always() && steps.build.outcome == 'success'
+   #  uses: github/codeql-action/upload-sarif@v2
+   #  with:
+   #    # Path to SARIF file relative to the root of the repository
+   #    sarif_file: cifuzz-sarif/results.sarif
+   #    checkout_path: cifuzz-sarif