.github: harden permissions on GH workflows

None of the GH workflows need the GITHUB_TOKEN to have write
permissions for all scopes. This commit hardens the access values for
each GH workflow accordingly their needs.

Signed-off-by: André Martins <andre@cilium.io>

.github/workflows/build-images-base.yaml

@@ -11,6 +11,8 @@ on:
       - images/runtime/**
       - images/builder/**
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true

.github/workflows/build-images-ci.yaml

@@ -11,6 +11,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true

.github/workflows/build-images-hotfixes.yaml

@@ -5,6 +5,8 @@ on:
     branches:
       - hf/master/**
 
+permissions: read-all
+
 jobs:
   build-and-push:
     if: ${{ github.repository == 'cilium/cilium' }}

.github/workflows/build-images-releases.yaml

@@ -6,6 +6,8 @@ on:
       - v[0-9]+.[0-9]+.[0-9]+
       - v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+
 
+permissions: read-all
+
 jobs:
   build-and-push:
     if: ${{ github.repository == 'cilium/cilium' }}

.github/workflows/conformance-aks.yaml

@@ -23,6 +23,12 @@ on:
   # pull_request: {}
   ###
 
+# By specifying the access of one of the scopes, all of those that are not
+# specified are set to 'none'.
+permissions:
+  # So that Sibz/github-status-action can write into the status API
+  statuses: write
+
 concurrency:
   # Structure:
   # - Workflow name

.github/workflows/conformance-aws-cni.yaml

@@ -23,6 +23,12 @@ on:
   # pull_request: {}
   ###
 
+# By specifying the access of one of the scopes, all of those that are not
+# specified are set to 'none'.
+permissions:
+  # So that Sibz/github-status-action can write into the status API
+  statuses: write
+
 concurrency:
   # Structure:
   # - Workflow name

.github/workflows/conformance-eks.yaml

@@ -23,6 +23,12 @@ on:
   # pull_request: {}
   ###
 
+# By specifying the access of one of the scopes, all of those that are not
+# specified are set to 'none'.
+permissions:
+  # So that Sibz/github-status-action can write into the status API
+  statuses: write
+
 concurrency:
   # Structure:
   # - Workflow name

.github/workflows/conformance-gke.yaml

@@ -23,6 +23,12 @@ on:
   # pull_request: {}
   ###
 
+# By specifying the access of one of the scopes, all of those that are not
+# specified are set to 'none'.
+permissions:
+  # So that Sibz/github-status-action can write into the status API
+  statuses: write
+
 concurrency:
   # Structure:
   # - Workflow name

.github/workflows/conformance-k8s-network-policies.yaml

@@ -5,6 +5,8 @@ on:
     # run once a day at midnight
     - cron: '0 0 * * *'
 
+permissions: read-all
+
 env:
   KIND_VERSION: v0.11.1
   KIND_CONFIG: .github/kind-config.yaml

.github/workflows/conformance-kind.yaml

@@ -13,6 +13,8 @@ on:
       - 'Documentation/**'
       - 'test/**'
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true

.github/workflows/conformance-multicluster.yaml

@@ -23,6 +23,12 @@ on:
   # pull_request: {}
   ###
 
+# By specifying the access of one of the scopes, all of those that are not
+# specified are set to 'none'.
+permissions:
+  # So that Sibz/github-status-action can write into the status API
+  statuses: write
+
 concurrency:
   # Structure:
   # - Workflow name

.github/workflows/documentation.yaml

@@ -7,6 +7,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true

.github/workflows/lint-bpf-checks.yaml

@@ -7,6 +7,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true

.github/workflows/lint-build-commits.yaml

@@ -3,6 +3,8 @@ name: build-commits
 # Any change in triggers needs to be reflected in the concurrency group.
 on: [pull_request]
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true

.github/workflows/lint-codeql.yaml

@@ -6,6 +6,8 @@ on:
   schedule:
     - cron: "45 6 * * 3"
 
+permissions: read-all
+
 jobs:
   check_changes:
     name: Deduce required tests from code changes

.github/workflows/lint-go.yaml

@@ -7,6 +7,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true

.github/workflows/lint-images-base.yaml

@@ -11,6 +11,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true

.github/workflows/tests-l4lb.yaml

@@ -23,6 +23,8 @@ on:
   # pull_request: {}
   ###
 
+permissions: read-all
+
 concurrency:
   # Structure:
   # - Workflow name

.github/workflows/tests-nightly.yaml

@@ -2,6 +2,9 @@ name: Nightly
 on:
   schedule:
     - cron: '0 2 * * *' # run at 2 AM UTC
+
+permissions: read-all
+
 jobs:
   policy-stress-test:
     name: Start Nightly Policy Stress tests

.github/workflows/tests-smoke-ipv6.yaml

@@ -7,6 +7,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true

.github/workflows/tests-smoke.yaml

@@ -7,6 +7,8 @@ on:
     branches:
       - master
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.event.after }}
   cancel-in-progress: true