Merge pull request #11756 from id/1012-ci-fix-token-permissions

chore(ci): limit token scope in workflows

.github/workflows/build_and_push_docker_images.yaml

@@ -75,6 +75,9 @@ on:
         type: string
         default: '["self-hosted","ephemeral", "linux"]'
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}

.github/workflows/build_docker_for_test.yaml

@@ -23,6 +23,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   docker:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}

.github/workflows/check_deps_integrity.yaml

@@ -10,6 +10,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   check_deps_integrity:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}

.github/workflows/codeql.yaml

@@ -8,14 +8,16 @@ on:
       ref:
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     timeout-minutes: 360
     permissions:
       actions: read
-      contents: read
       security-events: write
     container:
       image: ghcr.io/emqx/emqx-builder/5.1-4:1.14.5-25.3.2-2-ubuntu22.04

.github/workflows/green_master.yaml

@@ -8,6 +8,9 @@ on:
     - cron: "0 * * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   rerun-failed-jobs:
     if: github.repository_owner == 'emqx'

.github/workflows/performance_test.yaml

@@ -19,6 +19,9 @@ env:
   TF_VAR_prometheus_remote_write_url: ${{ secrets.TF_EMQX_PERF_TEST_PROMETHEUS_REMOTE_WRITE_URL }}
   SLACK_WEBHOOK_URL: ${{ secrets.TF_EMQX_PERF_TEST_SLACK_URL }}
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     runs-on: ubuntu-latest

.github/workflows/release.yaml

@@ -13,9 +13,14 @@ on:
         required: true
         default: false
 
+permissions:
+  contents: read
+
 jobs:
   upload:
     runs-on: ubuntu-22.04
+    permissions:
+      packages: write
     strategy:
       fail-fast: false
     steps:

.github/workflows/run_conf_tests.yaml

@@ -14,6 +14,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   run_conf_tests:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}

.github/workflows/run_docker_tests.yaml

@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   basic-tests:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}

.github/workflows/run_emqx_app_tests.yaml

@@ -26,6 +26,9 @@ on:
 env:
   IS_CI: "yes"
 
+permissions:
+  contents: read
+
 jobs:
   run_emqx_app_tests:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}

.github/workflows/run_helm_tests.yaml

@@ -17,6 +17,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   helm_test:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}

.github/workflows/run_relup_tests.yaml

@@ -14,6 +14,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   relup_test_plan:
     runs-on: ["${{ inputs.runner }}", 'linux', 'x64', 'ephemeral']

.github/workflows/spellcheck.yaml

@@ -11,6 +11,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   spellcheck:
     strategy:

.github/workflows/stale.yaml

@@ -8,6 +8,9 @@ on:
     - cron: "0 * * * *"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     if: github.repository_owner == 'emqx'

.github/workflows/static_checks.yaml

@@ -20,6 +20,9 @@ on:
 env:
   IS_CI: "yes"
 
+permissions:
+  contents: read
+
 jobs:
   static_checks:
     runs-on: ${{ fromJSON(inputs.runner_labels) }}