security: add permissions block to workflows (#38047)

(cherry picked from commit f502623) # Conflicts: # .github/workflows/platform-ingest-project-board.yml # .github/workflows/post-dependabot.yml
elastic · Mar 27, 2024 · bd3b705 · bd3b705
1 parent 4ae0028
commit bd3b705
Show file tree

Hide file tree

Showing 32 changed files with 192 additions and 0 deletions.
diff --git a/.github/workflows/check-audtibeat.yml b/.github/workflows/check-audtibeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'auditbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-dev-tools.yml b/.github/workflows/check-dev-tools.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'dev-tools'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-filebeat.yml b/.github/workflows/check-filebeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'filebeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-heartbeat.yml b/.github/workflows/check-heartbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'heartbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-libbeat.yml b/.github/workflows/check-libbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'libbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-metricbeat.yml b/.github/workflows/check-metricbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'metricbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-packetbeat.yml b/.github/workflows/check-packetbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'packetbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-winlogbeat.yml b/.github/workflows/check-winlogbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'winlogbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-auditbeat.yml b/.github/workflows/check-xpack-auditbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/auditbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-dockerlogbeat.yml b/.github/workflows/check-xpack-dockerlogbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/dockerlogbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-filebeat.yml b/.github/workflows/check-xpack-filebeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/filebeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-functionbeat.yml b/.github/workflows/check-xpack-functionbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/functionbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-heartbeat.yml b/.github/workflows/check-xpack-heartbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/heartbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-libbeat.yml b/.github/workflows/check-xpack-libbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/libbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-metricbeat.yml b/.github/workflows/check-xpack-metricbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/metricbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-osquerybeat.yml b/.github/workflows/check-xpack-osquerybeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/osquerybeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-packetbeat.yml b/.github/workflows/check-xpack-packetbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/packetbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/check-xpack-winlogbeat.yml b/.github/workflows/check-xpack-winlogbeat.yml
@@ -10,6 +10,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/winlogbeat'
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/macos-auditbeat.yml b/.github/workflows/macos-auditbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'auditbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-filebeat.yml b/.github/workflows/macos-filebeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'filebeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-heartbeat.yml b/.github/workflows/macos-heartbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'heartbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-metricbeat.yml b/.github/workflows/macos-metricbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'metricbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-packetbeat.yml b/.github/workflows/macos-packetbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'packetbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-xpack-auditbeat.yml b/.github/workflows/macos-xpack-auditbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/auditbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-xpack-filebeat.yml b/.github/workflows/macos-xpack-filebeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/filebeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-xpack-functionbeat.yml b/.github/workflows/macos-xpack-functionbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/functionbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-xpack-heartbeat.yml b/.github/workflows/macos-xpack-heartbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/heartbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-xpack-metricbeat.yml b/.github/workflows/macos-xpack-metricbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/metricbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-xpack-osquerybeat.yml b/.github/workflows/macos-xpack-osquerybeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/osquerybeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/macos-xpack-packetbeat.yml b/.github/workflows/macos-xpack-packetbeat.yml
@@ -13,6 +13,9 @@ on:
 env:
   BEAT_MODULE: 'x-pack/packetbeat'
 
+permissions:
+  contents: read
+
 jobs:
   macos:
     runs-on: macos-latest

diff --git a/.github/workflows/platform-ingest-project-board.yml b/.github/workflows/platform-ingest-project-board.yml
@@ -0,0 +1,59 @@
+name: Add issue to Ingest project
+
+on:
+  issues:
+    types:
+      - labeled
+env:
+  INGEST_PROJECT_ID: 'PVT_kwDOAGc3Zs4AEzn4'
+
+  # GitHub labels for each team/area
+  DATA_PLANE_LABEL: 'Team:Elastic-Agent-Data-Plane'
+  CONTROL_PLANE_LABEL: 'Team:Elastic-Agent-Control-Plane'
+  ELASTIC_AGENT_LABEL: 'Team:Elastic-Agent'
+
+  # ID values for the Area property + its options
+  AREA_FIELD_ID: 'PVTSSF_lADOAGc3Zs4AEzn4zgEgZSo'
+  ELASTIC_AGENT_OPTION_ID: 'c1e1a30a'
+
+permissions:
+  contents: read
+
+jobs:
+  add_to_ingest_project:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: octokit/graphql-action@v2.x
+        id: add_to_project
+        if: ${{ github.event.label.name == env.DATA_PLANE_LABEL || github.event.label.name == env.CONTROL_PLANE_LABEL || github.event.label.name == env.ECOSYSTEM_LABEL || github.event.label.name == env.FLEET_LABEL }}
+        with:
+          query: |
+            # Variables have to be snake cased because of https://github.com/octokit/graphql-action/issues/164
+            mutation AddToIngestProject($project_id: ID!, $content_id: ID!) {
+              addProjectV2ItemById(input: { projectId: $project_id, contentId: $content_id }) {
+                  item {
+                    id
+                  }
+                }
+              }
+          project_id: ${{ env.INGEST_PROJECT_ID }}
+          content_id: ${{ github.event.issue.node_id }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.PROJECT_ASSIGNER_TOKEN }}
+      - uses: octokit/graphql-action@v2.x
+        id: set_elastic_agent_area
+        if: github.event.label.name == env.DATA_PLANE_LABEL || github.event.label.name == env.CONTROL_PLANE_LABEL || github.event.label.name == env.ELASTIC_AGENT_LABEL
+        with:
+          query: |
+            mutation updateIngestArea($item_id: ID!, $project_id: ID!, $area_field_id: ID!, $area_id: String) {
+              updateProjectV2ItemFieldValue(
+                input: { itemId: $item_id, projectId: $project_id, fieldId: $area_field_id, value: { singleSelectOptionId: $area_id } }) {
+                  clientMutationId
+                }
+              }
+          item_id: ${{ fromJSON(steps.add_to_project.outputs.data).addProjectV2ItemById.item.id }}
+          project_id: ${{ env.INGEST_PROJECT_ID }}
+          area_field_id: ${{ env.AREA_FIELD_ID }}
+          area_id: ${{ env.ELASTIC_AGENT_OPTION_ID }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.PROJECT_ASSIGNER_TOKEN }}