fix: attempt fix token permissions (#1155)

## Description Resolve Code Scanning Token Permissions issues ## Related Issue Fixes #978 ## Type of change - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Other (security config, docs update, etc) ## Checklist before merging - [x] Test, docs, adr added or updated as needed - [x] [Contributor Guide](https://github.com/defenseunicorns/uds-template-capability/blob/main/CONTRIBUTING.md) followed
defenseunicorns · Jan 6, 2025 · 5a46e41 · 5a46e41
1 parent 29ee12b
commit 5a46e41
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 0 deletions.
diff --git a/.github/workflows/checkpoint.yaml b/.github/workflows/checkpoint.yaml
@@ -3,6 +3,12 @@
 
 name: Checkpoint UDS Core
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   pull_request:
     # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).

diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
@@ -3,6 +3,10 @@
 
 name: Metadata
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   pull_request:
     branches: [main]

diff --git a/.github/workflows/docs-shim.yaml b/.github/workflows/docs-shim.yaml
@@ -3,6 +3,10 @@
 
 name: CI Docs
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   pull_request:
     # milestoned is added here as a workaround for release-please not triggering PR workflows (PRs should be added to a milestone to trigger the workflow).

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -3,6 +3,12 @@
 
 name: Publish UDS Core
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   # triggered by tag-and-release.yaml and snapshot-release.yaml
   workflow_call:

diff --git a/.github/workflows/snapshot-release.yaml b/.github/workflows/snapshot-release.yaml
@@ -3,6 +3,12 @@
 
 name: Release UDS Core Snapshot
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   schedule:
     - cron: "0 10 * * *"

diff --git a/.github/workflows/tag-and-release.yaml b/.github/workflows/tag-and-release.yaml
@@ -3,6 +3,12 @@
 
 name: Release UDS Core
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+  packages: read # Allows reading the content of the repository's packages.
+  id-token: write
+
 on:
   push:
     branches:

diff --git a/.github/workflows/test-shim.yaml b/.github/workflows/test-shim.yaml
@@ -3,6 +3,10 @@
 
 name: Test Shim
 
+# Permissions for the GITHUB_TOKEN used by the workflow.
+permissions:
+  contents: read # Allows reading the content of the repository.
+
 on:
   # Manual trigger
   workflow_dispatch: