Adjusted workflow permissions

Signed-off-by: Eddie Knight <knight@linux.com>
2 years ago · 939a75115c
parent 9f41efb6f7
commit 939a75115c
8 changed files with 25 additions and 3 deletions
--- a/.github/workflows/bootstrap.yaml
+++ b/.github/workflows/bootstrap.yaml
@ -6,6 +6,9 @@ on:
  pull_request:
    branches: [ main ]

+permissions:
+  contents: read
+
 jobs:
  github:
    runs-on: ubuntu-latest
--- a/.github/workflows/e2e-arm64.yaml
+++ b/.github/workflows/e2e-arm64.yaml
@ -5,6 +5,9 @@ on:
  push:
    branches: [ main, update-components ]

+permissions:
+  contents: read
+
 jobs:
  test:
    # Hosted on Equinix
--- a/.github/workflows/e2e-azure.yaml
+++ b/.github/workflows/e2e-azure.yaml
@ -7,6 +7,9 @@ on:
  push:
    branches: [ azure* ]

+permissions:
+  contents: read
+
 jobs:
  e2e:
    runs-on: ubuntu-22.04
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@ -6,6 +6,9 @@ on:
  pull_request:
    branches: [ main, oci ]

+permissions:
+  contents: read
+
 jobs:
  kind:
    runs-on: ubuntu-latest
--- a/.github/workflows/release-manifests.yml
+++ b/.github/workflows/release-manifests.yml
@ -5,10 +5,12 @@ on:
  workflow_dispatch:

 permissions:
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read

 jobs:
+  permissions:
+    id-token: write # needed for keyless signing
+    packages: write # needed for ghcr access
  build-push:
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -11,6 +11,10 @@ permissions:

 jobs:
  goreleaser:
+    permissions: # TODO: Segment these jobs to minimize which actions are recieving escalated perms
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
--- a/.github/workflows/scan.yaml
+++ b/.github/workflows/scan.yaml
@ -10,7 +10,6 @@ on:

 permissions:
  contents: read # for actions/checkout to fetch code
-  security-events: write # for codeQL to write security events

 jobs:
  fossa:
@ -50,6 +49,8 @@ jobs:
          sarif_file: snyk.sarif

  codeql:
+    permissions:
+      security-events: write # for codeQL to write security events
    name: CodeQL
    runs-on: ubuntu-latest
    if: github.actor != 'dependabot[bot]'
--- a/.github/workflows/update.yaml
+++ b/.github/workflows/update.yaml
@ -7,6 +7,9 @@ on:
  push:
    branches: [main]

+permissions:
+  contents: read
+
 jobs:
  update-components:
    runs-on: ubuntu-latest