From 10a468f6e61f60e693166021d4f3ce9bddea71ab Mon Sep 17 00:00:00 2001
From: Chris Harrison <36608309+chris3ware@users.noreply.github.com>
Date: Fri, 17 Mar 2023 11:45:04 +0000
Subject: [PATCH] fix: workflow token permissions (#58)

---
 .github/workflows/lint.yaml           | 8 +++++---
 .github/workflows/pr-title.yaml       | 7 ++++---
 .github/workflows/terraform-docs.yaml | 2 --
 .github/workflows/tfsec-pr.yaml       | 8 +++++---
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index 092723d..e501d22 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -9,17 +9,19 @@ on:
         required: true
         type: number
 
-# Declare default permissions as read only.
-permissions:
-  contents: read
+# Disable permissions for all available scopes
+permissions: {}
 
 jobs:
   find-terraform:
+    permissions:
+      contents: read
     uses: ./.github/workflows/get-terraform-dir.yaml
 
   lint:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       checks: write # not required (see slack) but produces an error in the logs
       # https://trunkcommunity.slack.com/archives/C04GAE5EA5S/p1677846825881319?thread_ts=1676214812.584879&cid=C04GAE5EA5S
     timeout-minutes: 10
diff --git a/.github/workflows/pr-title.yaml b/.github/workflows/pr-title.yaml
index 5b7b611..ef64a40 100644
--- a/.github/workflows/pr-title.yaml
+++ b/.github/workflows/pr-title.yaml
@@ -5,9 +5,8 @@ on:
     types: [opened, edited, synchronize]
   workflow_call: {}
 
-# Declare default permissions as read only.
-permissions:
-  pull-requests: read
+# Disable permissions for all available scopes
+permissions: {}
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref }}
@@ -15,6 +14,8 @@ concurrency:
 
 jobs:
   conventional-pr-title:
+    permissions:
+      pull-requests: read
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml
index bc3c531..a9ed60d 100644
--- a/.github/workflows/terraform-docs.yaml
+++ b/.github/workflows/terraform-docs.yaml
@@ -12,8 +12,6 @@ jobs:
     secrets: inherit
   find-terraform:
     if: github.actor != '3ware-release[bot]'
-    permissions:
-      contents: read
     uses: ./.github/workflows/get-terraform-dir.yaml
 
   terraform-docs:
diff --git a/.github/workflows/tfsec-pr.yaml b/.github/workflows/tfsec-pr.yaml
index 1d96e86..d1324ff 100644
--- a/.github/workflows/tfsec-pr.yaml
+++ b/.github/workflows/tfsec-pr.yaml
@@ -9,16 +9,18 @@ on:
         required: false
         type: string
 
-# Declare default permissions as read only.
-permissions:
-  contents: read
+# Disable permissions for all available scopes
+permissions: {}
 
 jobs:
   find-terraform:
+    permissions:
+      contents: read
     uses: ./.github/workflows/get-terraform-dir.yaml
 
   tfsec-pr-commenter:
     permissions:
+      contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     timeout-minutes: 10