magma · themarwhal · Mar 16, 2022 · Feb 7, 2022
@@ -13,6 +13,8 @@ on:  # yamllint disable-line rule:truthy
 
 concurrency: ${{ github.workflow }}
 
+permissions: read-all
+
 jobs:
   docker-load-test:
     name: agw docker load tests

@@ -21,6 +21,8 @@ env:
   BAZEL_CACHE: bazel-cache
   BAZEL_CACHE_REPO: bazel-cache-repo
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -9,6 +9,8 @@ on:  # yamllint disable-line rule:truthy
 env:
   MAGMA_VERSION: "1.7.0"
 
+permissions: read-all
+
 jobs:
   publish-amis-to-marketplace:
     name: publish-amis-to-marketplace job

@@ -29,6 +29,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   AutoLabelPR:
     runs-on: ubuntu-latest

@@ -6,6 +6,8 @@ on:  # yamllint disable-line rule:truthy
     branches:
       - master
 
+permissions: read-all
+
 jobs:
   backport:
     name: backport

@@ -23,6 +23,9 @@ env:
 
   DEVCONTAINER_IMAGE: "ghcr.io/magma/magma/devcontainer:latest"
 
+permissions:
+  contents: read
+
 jobs:
   bazel-build-magma-vm-and-push-cache:
     runs-on: macos-10.15

@@ -25,6 +25,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -12,6 +12,8 @@ on:  # yamllint disable-line rule:truthy
       - 'v1.*'
     types: [opened, reopened, synchronize]
 
+permissions: read-all
+
 jobs:
   build_publish_helm_charts:
     if: github.repository_owner == 'magma'

@@ -7,6 +7,9 @@ on:  # yamllint disable-line rule:truthy
       - master
       - 'v1.*'
 
+permissions:
+  contents: read
+
 jobs:
   checkRebase:
     runs-on: ubuntu-latest

@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   sanity:
     runs-on: ubuntu-latest

@@ -24,6 +24,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.event.workflow.name }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   skip_check:
     name: Job to check if the workflow ${{ github.event.workflow.name }} can be skipped

@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -15,6 +15,8 @@ on:  # yamllint disable-line rule:truthy
 env:
   SHA: ${{ github.event.workflow_run.head_commit.id || github.sha }}
 
+permissions: read-all
+
 jobs:
   docker-build:
     if: github.repository_owner == 'magma' || github.event_name == 'workflow_dispatch'

@@ -15,6 +15,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -8,6 +8,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   reverted-pr-check:
     name: Reverted PR Check Job

@@ -7,6 +7,9 @@ on:  # yamllint disable-line rule:truthy
       - build-all
     types:
       - completed
+
+permissions: read-all
+
 # Replace registries with new test registries reserved for PR builds
 jobs:
   deploy:

@@ -26,6 +26,8 @@ env:
   IMAGE_TAGS: type=sha
   DOCKERFILE: experimental/bazel-base/Dockerfile
 
+permissions: read-all
+
 jobs:
   build_dockerfile:
     runs-on: ubuntu-latest

@@ -26,6 +26,8 @@ env:
   IMAGE_TAGS: type=sha
   DOCKERFILE: .devcontainer/Dockerfile
 
+permissions: read-all
+
 jobs:
   build_dockerfile:
     runs-on: ubuntu-latest

@@ -26,6 +26,8 @@ env:
   IMAGE_TAGS: type=sha
   DOCKERFILE: lte/gateway/docker/python-precommit/Dockerfile
 
+permissions: read-all
+
 jobs:
   build_dockerfile:
     runs-on: ubuntu-latest

@@ -14,6 +14,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -5,6 +5,9 @@ on:  # yamllint disable-line rule:truthy
   push:
     branches:
       - master
+
+permissions: read-all
+
 jobs:
   docusaurus-build-and-deploy:
     runs-on: ubuntu-latest

@@ -11,6 +11,8 @@ on:  # yamllint disable-line rule:truthy
       - 'v1.*'
     types: [opened, reopened, synchronize]
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest
@@ -127,6 +129,9 @@ jobs:
           verbose: true
 
   active_mode_controller_unit_tests:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     needs: path_filter
     if: ${{ needs.path_filter.outputs.am == 'true' }}
     name: "Active mode controller unit tests"

@@ -17,6 +17,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -15,6 +15,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   fossa-analyze:
     env:

@@ -31,6 +31,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 # See [Example Sharing Container Between Jobs](https://github.com/docker/build-push-action/issues/225)
 jobs:
   path_filter:

@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   pre_job_src_go_determinator:
     runs-on: ubuntu-latest

@@ -20,6 +20,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   check_helm_chart_dependencies:
     env:

@@ -4,6 +4,9 @@ name: helm-build-on-demand
 # Temporary on demand Job until we refactor helm build job in build-all
 on:  # yamllint disable-line rule:truthy
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   build_publish_helm_charts_on_demand:
     env:

@@ -16,6 +16,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   insync-checkin:
     name: insync checkin job

@@ -13,6 +13,8 @@ on:  # yamllint disable-line rule:truthy
     types:
       - completed
 
+permissions: read-all
+
 jobs:
   lte-integ-test:
     if: github.repository_owner == 'magma' || github.event_name == 'workflow_dispatch'

@@ -19,6 +19,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   path_filter:
     runs-on: ubuntu-latest

@@ -6,6 +6,8 @@ on:  # yamllint disable-line rule:truthy
   pull_request_target:
     types: [opened]
 
+permissions: read-all
+
 jobs:
   # This job is a manual approximation of https://github.com/peter-evans/create-or-update-comment
   comment:

@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   pre_job:
     runs-on: ubuntu-latest

@@ -3,9 +3,14 @@ name: Automatic Rebase
 on:  # yamllint disable-line rule:truthy
   issue_comment:
     types: [created]
+permissions:
+  contents: read
+
 jobs:
   # This job is based on https://github.com/marketplace/actions/automatic-rebase
   rebase:
+    permissions:
+      contents: none
     name: Rebase
     if: github.event.issue.pull_request != '' && contains(github.event.comment.body, '/rebase')
     runs-on: ubuntu-latest

@@ -15,6 +15,8 @@ concurrency:
 # github-pr-check: Adds lint as annotations in the PR that can be toggled by pressing 'a'
 # github-pr-review: Adds lint as GitHub comments
 
+permissions: read-all
+
 jobs:
   pre_job_go_determinator:
     runs-on: ubuntu-latest
@@ -47,6 +49,10 @@ jobs:
               - [".github/workflows/reviewdog-workflow.yml", "lte/gateway/c/**", "orc8r/gateway/c/**"]
 
   cpplint:
+    permissions:
+      checks: write  # for reviewdog
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: write  # for reviewdog
     needs: pre_job_c_cpp_determinator
     if: ${{ needs.pre_job_c_cpp_determinator.outputs.should_not_skip == 'true' }}
     ##
@@ -83,6 +89,9 @@ jobs:
             | ./reviewdog -efm="%f:%l: %m" -name="cpplint" -reporter="github-pr-check" -level="warning"
 
   golangci-lint:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: write  # for reviewdog/action-golangci-lint to report issues using PR comments
     needs: pre_job_go_determinator
     if: ${{ needs.pre_job_go_determinator.outputs.should_not_skip == 'true' }}
     runs-on: ubuntu-latest

@@ -13,6 +13,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   reverted-pr-check:
     name: Reverted PR Check Job

@@ -6,6 +6,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   testim_check_job:
     runs-on: ubuntu-latest