From 08a1cee02998565381d19a732955221ec8e86a1f Mon Sep 17 00:00:00 2001 From: Connor Catlett Date: Thu, 12 Sep 2024 18:12:27 +0000 Subject: [PATCH] Add permissions to all GitHub actions Signed-off-by: Connor Catlett --- .github/workflows/generate-code-coverage.yaml | 5 +++++ .github/workflows/govulncheck.yaml | 4 ++++ .github/workflows/helm-chart-release.yaml | 4 ++++ .github/workflows/output-code-coverage.yaml | 4 ++++ .github/workflows/release.yaml | 4 ++++ .github/workflows/trivy-containers.yaml | 4 ++++ .github/workflows/trivy.yaml | 4 ++++ .github/workflows/unit-tests.yaml | 3 +++ 8 files changed, 32 insertions(+) diff --git a/.github/workflows/generate-code-coverage.yaml b/.github/workflows/generate-code-coverage.yaml index 9ac03b674b..fbc5240a1d 100644 --- a/.github/workflows/generate-code-coverage.yaml +++ b/.github/workflows/generate-code-coverage.yaml @@ -14,6 +14,11 @@ name: Generate Code Coverage on: [pull_request] + +permissions: + contents: read +# upload-artifact does not need write permissions as it relies on an undocumented token +# https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436 jobs: cover-base: diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index 033e659be6..1cc9bcb141 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -17,6 +17,10 @@ on: pull_request: branches: - 'release-*' + +permissions: + contents: read + jobs: govulncheck: runs-on: ubuntu-latest diff --git a/.github/workflows/helm-chart-release.yaml b/.github/workflows/helm-chart-release.yaml index 78e6ab96ec..2e46cf1a29 100644 --- a/.github/workflows/helm-chart-release.yaml +++ b/.github/workflows/helm-chart-release.yaml @@ -21,6 +21,10 @@ on: paths: - "charts/**/Chart.yaml" +permissions: + contents: write + pages: write + jobs: release: runs-on: ubuntu-latest diff --git a/.github/workflows/output-code-coverage.yaml b/.github/workflows/output-code-coverage.yaml index 7411d0fd89..0cbd19de8c 100644 --- a/.github/workflows/output-code-coverage.yaml +++ b/.github/workflows/output-code-coverage.yaml @@ -17,6 +17,10 @@ on: workflow_run: workflows: [Generate Code Coverage] types: [completed] + +permissions: + contents: read + pull-requests: write jobs: output-code-coverage: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 49fa877860..a3c418eb74 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,6 +18,10 @@ on: # Sequence of patterns matched against refs/tags tags: - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10 + +permissions: + contents: write + jobs: build: name: Release diff --git a/.github/workflows/trivy-containers.yaml b/.github/workflows/trivy-containers.yaml index ca024e77b2..50803690b8 100644 --- a/.github/workflows/trivy-containers.yaml +++ b/.github/workflows/trivy-containers.yaml @@ -20,6 +20,10 @@ on: schedule: - cron: '0 */24 * * *' +permissions: + contents: read + security-events: write + jobs: build-matrix: runs-on: ubuntu-latest diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index e5a40300e9..261c411d36 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -18,6 +18,10 @@ on: branches: - master pull_request: + +permissions: + contents: read + security-events: write jobs: build: diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml index 123a2b8c32..e3d8dcc972 100644 --- a/.github/workflows/unit-tests.yaml +++ b/.github/workflows/unit-tests.yaml @@ -18,6 +18,9 @@ on: branches: - master pull_request: + +permissions: + contents: read jobs: buildx: