diff --git a/.github/workflows/common-build-docs.yaml b/.github/workflows/common-build-docs.yaml index 5dfd0f9ca..c092de1d3 100644 --- a/.github/workflows/common-build-docs.yaml +++ b/.github/workflows/common-build-docs.yaml @@ -7,9 +7,14 @@ on: required: false type: boolean +permissions: + contents: read + jobs: update-gh-pages: runs-on: ubuntu-22.04 + permissions: + contents: write steps: - uses: actions/checkout@v1 diff --git a/.github/workflows/common-build-images.yaml b/.github/workflows/common-build-images.yaml index c36247bba..037495f7a 100644 --- a/.github/workflows/common-build-images.yaml +++ b/.github/workflows/common-build-images.yaml @@ -16,6 +16,9 @@ on: required: false type: string +permissions: + contents: read + jobs: build-images: name: Build and publish container images diff --git a/.github/workflows/common-codeql.yaml b/.github/workflows/common-codeql.yaml index a0f73b2e2..bdcdb0498 100644 --- a/.github/workflows/common-codeql.yaml +++ b/.github/workflows/common-codeql.yaml @@ -7,10 +7,14 @@ on: required: false type: boolean +permissions: + contents: read + jobs: codeql-scan: runs-on: ubuntu-22.04 - + permissions: + security-events: write steps: - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/common-trivy.yaml b/.github/workflows/common-trivy.yaml index e6981ce25..e266c425c 100644 --- a/.github/workflows/common-trivy.yaml +++ b/.github/workflows/common-trivy.yaml @@ -11,6 +11,9 @@ on: required: false type: boolean +permissions: + contents: read + jobs: trivy-scan-licenses: runs-on: ubuntu-22.04 @@ -29,6 +32,8 @@ jobs: trivy-scan-vulns: runs-on: ubuntu-22.04 + permissions: + security-events: write steps: - name: Checkout uses: actions/checkout@v3 diff --git a/.github/workflows/common-verify-code.yaml b/.github/workflows/common-verify-code.yaml index 231c7c16c..b4afc143d 100644 --- a/.github/workflows/common-verify-code.yaml +++ b/.github/workflows/common-verify-code.yaml @@ -3,6 +3,9 @@ name: Verify code on: - workflow_call +permissions: + contents: read + jobs: build-and-test: runs-on: ubuntu-22.04 @@ -38,8 +41,14 @@ jobs: trivy-scan: uses: "./.github/workflows/common-trivy.yaml" + permissions: + contents: read + security-events: write with: upload-to-github-security-tab: true codeql-scan: uses: "./.github/workflows/common-codeql.yaml" + permissions: + contents: read + security-events: write diff --git a/.github/workflows/publish-devel-images.yaml b/.github/workflows/publish-devel-images.yaml index eea3fadff..9214d8ff3 100644 --- a/.github/workflows/publish-devel-images.yaml +++ b/.github/workflows/publish-devel-images.yaml @@ -4,6 +4,9 @@ on: push: branches: ["master"] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true @@ -11,6 +14,9 @@ concurrency: jobs: trivy-scan: uses: "./.github/workflows/common-trivy.yaml" + permissions: + contents: read + security-events: write publish-images: uses: "./.github/workflows/common-build-images.yaml" diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index fc9686f00..00df605d8 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -11,6 +11,10 @@ on: - "Makefile" tags: - v* + +permissions: + contents: read + concurrency: group: ${{ github.workflow }} cancel-in-progress: false @@ -18,5 +22,7 @@ concurrency: jobs: update-gh-pages: uses: "./.github/workflows/common-build-docs.yaml" + permissions: + contents: write with: publish: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5da47724c..b8eaf2c07 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,6 +4,9 @@ on: push: tags: [ 'v*' ] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true @@ -11,11 +14,17 @@ concurrency: jobs: trivy-scan: uses: "./.github/workflows/common-trivy.yaml" + permissions: + contents: read + security-events: write with: export-csv: true codeql: uses: "./.github/workflows/common-codeql.yaml" + permissions: + contents: read + security-events: write with: export-report: true @@ -30,6 +39,8 @@ jobs: build-packages: needs: [trivy-scan] + permissions: + contents: write runs-on: ubuntu-22.04 steps: - name: Checkout diff --git a/.github/workflows/verify-periodic.yaml b/.github/workflows/verify-periodic.yaml index abb1236cb..66e7514e0 100644 --- a/.github/workflows/verify-periodic.yaml +++ b/.github/workflows/verify-periodic.yaml @@ -4,6 +4,9 @@ on: schedule: - cron: '30 2 * * *' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -11,4 +14,6 @@ concurrency: jobs: verify-code: uses: "./.github/workflows/common-verify-code.yaml" - + permissions: + contents: read + security-events: write diff --git a/.github/workflows/verify-pr-code.yaml b/.github/workflows/verify-pr-code.yaml index e126abf2e..d0a345402 100644 --- a/.github/workflows/verify-pr-code.yaml +++ b/.github/workflows/verify-pr-code.yaml @@ -6,6 +6,9 @@ on: - "docs/**" - "**.md" +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} cancel-in-progress: true @@ -13,3 +16,6 @@ concurrency: jobs: verify: uses: "./.github/workflows/common-verify-code.yaml" + permissions: + contents: read + security-events: write diff --git a/.github/workflows/verify-pr-docs.yaml b/.github/workflows/verify-pr-docs.yaml index b57cf112f..e1ec444cb 100644 --- a/.github/workflows/verify-pr-docs.yaml +++ b/.github/workflows/verify-pr-docs.yaml @@ -6,6 +6,9 @@ on: - "docs/**" - "Makefile" +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} cancel-in-progress: true @@ -13,3 +16,6 @@ concurrency: jobs: verify-docs: uses: "./.github/workflows/common-build-docs.yaml" + permissions: + contents: read + security-events: write