Merge pull request #20 from austenstone/autofixes

Fix 18 code scanning alerts

Author: austenstone

.github/workflows/angular.azure.web.app.deploy.yml

@@ -11,6 +11,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   azure-web-app:
     runs-on: ubuntu-latest

.github/workflows/angular.azure.web.static.deploy.yml

@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: Azure Static Site Deploy
 
 on:

.github/workflows/angular.build.yml

@@ -12,6 +12,10 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+  actions: write
+
 jobs:
   build:
     runs-on: ${{ inputs.runs-on }}

.github/workflows/angular.docker.yml

@@ -1,5 +1,10 @@
 name: Docker Deploy
 
+permissions:
+  contents: read
+  packages: write
+  actions: write
+
 on:
   workflow_call:
     inputs:
@@ -25,6 +30,9 @@ env:
 jobs:
 
   docker:
+    permissions:
+      contents: read
+      packages: write
     environment:
       name: DockerHub
       url: https://hub.docker.com/r/${{ inputs.dockerhub-username }}/${{ github.event.repository.name }}
@@ -50,6 +58,9 @@ jobs:
           images: ${{ inputs.dockerhub-username }}/${{ github.event.repository.name }}
 
   docker-ghcr:
+    permissions:
+      contents: read
+      packages: write
     environment:
       name: GitHub Container Registry
       url: https://github.com/${{ github.event.repository.owner.login }}/${{ github.event.repository.name }}/pkgs/container/${{ github.event.repository.name }}

.github/workflows/angular.lint.yml

@@ -3,6 +3,9 @@ name: Lint
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest

.github/workflows/angular.terraform.yml

@@ -1,5 +1,9 @@
 name: "Terraform"
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   workflow_call:
     outputs:

.github/workflows/angular.yml

@@ -3,6 +3,9 @@ name: Angular
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: ⚒️
@@ -29,12 +32,17 @@ jobs:
     name: 🚀
     if: github.ref == 'refs/heads/main'
     needs: [build, test, lint]
+    permissions:
+      contents: read
+      pages: write
     uses: ./.github/workflows/angular.pages.deploy.yml
 
   docker:
     name: 🐳
     if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/main'
     needs: [build]
+    permissions:
+      contents: read
     uses: ./.github/workflows/angular.docker.yml
     secrets: inherit
 
@@ -43,13 +51,18 @@ jobs:
     # skip until we get Azure working
     # if: 0
     needs: [docker, test, lint]
+    permissions:
+      contents: read
     uses: ./.github/workflows/angular.terraform.yml
     secrets: inherit
 
   azure-deploy:
     name: ☁️
     if: needs.terraform.outputs.api_key && github.ref == 'refs/heads/main'
     needs: [terraform]
+    permissions:
+      contents: read
+      deployments: write
     uses: ./.github/workflows/angular.azure.web.static.deploy.yml
     with:
       api_key: ${{ needs.terraform.outputs.api_key }}
@@ -69,4 +82,6 @@ jobs:
     name: 🚢
     if: startsWith(github.ref, 'refs/tags/')
     needs: [build, test, lint]
+    permissions:
+      contents: write
     uses: ./.github/workflows/angular.release.yml

.github/workflows/build-test-deploy.yml

@@ -1,3 +1,5 @@
+permissions:
+  contents: read
 name: CI/CD
 on:
   workflow_dispatch: