github: set workflow permissions

marquiz · Jan 23, 2024 · 6962418 · 6962418
1 parent 9ddf702
commit 6962418
Show file tree

Hide file tree

Showing 11 changed files with 68 additions and 2 deletions.
diff --git a/.github/workflows/common-build-docs.yaml b/.github/workflows/common-build-docs.yaml
@@ -7,9 +7,14 @@ on:
         required: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   update-gh-pages:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     steps:
     - uses: actions/checkout@v1
 

diff --git a/.github/workflows/common-build-images.yaml b/.github/workflows/common-build-images.yaml
@@ -16,6 +16,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   build-images:
     name: Build and publish container images

diff --git a/.github/workflows/common-codeql.yaml b/.github/workflows/common-codeql.yaml
@@ -7,10 +7,14 @@ on:
         required: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   codeql-scan:
     runs-on: ubuntu-22.04
-
+    permissions:
+      security-events: write
     steps:
     - name: Checkout
       uses: actions/checkout@v3

diff --git a/.github/workflows/common-trivy.yaml b/.github/workflows/common-trivy.yaml
@@ -11,6 +11,9 @@ on:
         required: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   trivy-scan-licenses:
     runs-on: ubuntu-22.04
@@ -29,6 +32,8 @@ jobs:
 
   trivy-scan-vulns:
     runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
     steps:
     - name: Checkout
       uses: actions/checkout@v3

diff --git a/.github/workflows/common-verify-code.yaml b/.github/workflows/common-verify-code.yaml
@@ -3,6 +3,9 @@ name: Verify code
 on:
   - workflow_call
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     runs-on: ubuntu-22.04
@@ -38,8 +41,14 @@ jobs:
 
   trivy-scan:
     uses: "./.github/workflows/common-trivy.yaml"
+    permissions:
+      contents: read
+      security-events: write
     with:
       upload-to-github-security-tab: true
 
   codeql-scan:
     uses: "./.github/workflows/common-codeql.yaml"
+    permissions:
+      contents: read
+      security-events: write
diff --git a/.github/workflows/publish-devel-images.yaml b/.github/workflows/publish-devel-images.yaml
@@ -4,13 +4,19 @@ on:
   push:
     branches: ["master"]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 
 jobs:
   trivy-scan:
     uses: "./.github/workflows/common-trivy.yaml"
+    permissions:
+      contents: read
+      security-events: write
 
   publish-images:
     uses: "./.github/workflows/common-build-images.yaml"

diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -11,12 +11,18 @@ on:
       - "Makefile"
     tags:
         - v*
+
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: false
 
 jobs:
   update-gh-pages:
     uses: "./.github/workflows/common-build-docs.yaml"
+    permissions:
+      contents: write
     with:
       publish: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -4,18 +4,27 @@ on:
   push:
     tags: [ 'v*' ]
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
 
 jobs:
   trivy-scan:
     uses: "./.github/workflows/common-trivy.yaml"
+    permissions:
+      contents: read
+      security-events: write
     with:
       export-csv: true
 
   codeql:
     uses: "./.github/workflows/common-codeql.yaml"
+    permissions:
+      contents: read
+      security-events: write
     with:
       export-report: true
 
@@ -30,6 +39,8 @@ jobs:
 
   build-packages:
     needs: [trivy-scan]
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout

diff --git a/.github/workflows/verify-periodic.yaml b/.github/workflows/verify-periodic.yaml
@@ -4,11 +4,16 @@ on:
   schedule:
     - cron: '30 2 * * *'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   verify-code:
     uses: "./.github/workflows/common-verify-code.yaml"
-
+    permissions:
+      contents: read
+      security-events: write
diff --git a/.github/workflows/verify-pr-code.yaml b/.github/workflows/verify-pr-code.yaml
@@ -6,10 +6,16 @@ on:
       - "docs/**"
       - "**.md"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
   verify:
     uses: "./.github/workflows/common-verify-code.yaml"
+    permissions:
+      contents: read
+      security-events: write
diff --git a/.github/workflows/verify-pr-docs.yaml b/.github/workflows/verify-pr-docs.yaml
@@ -6,10 +6,16 @@ on:
       - "docs/**"
       - "Makefile"
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
   verify-docs:
     uses: "./.github/workflows/common-build-docs.yaml"
+    permissions:
+      contents: read
+      security-events: write