Apply the principle of least privilege for GitHub workflows (#33534)

Closes #33544 Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
2024-10-04 09:17:35 -03:00 · 2024-10-04 09:17:35 -03:00 · 61c6bd5ace
commit 61c6bd5ace
parent 7b85fc3319
13 changed files with 40 additions and 1 deletions
--- a/.github/workflows/aurora-delete.yml
+++ b/.github/workflows/aurora-delete.yml
@ -12,6 +12,9 @@ on:
        type: string
        required: true

+permissions:
+  contents: read
+
 jobs:
  delete:
    name: Delete Aurora DB
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -22,6 +22,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:

  conditional:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -22,6 +22,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:

  conditional:
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@ -21,6 +21,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+  
 jobs:

  conditional:
@ -99,4 +102,4 @@ jobs:
      - uses: actions/checkout@v4
      - uses: ./.github/actions/status-check
        with:
-          jobs: ${{ toJSON(needs) }}
+          jobs: ${{ toJSON(needs) }}
--- a/.github/workflows/guides.yml
+++ b/.github/workflows/guides.yml
@ -21,6 +21,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:

  conditional:
--- a/.github/workflows/js-ci.yml
+++ b/.github/workflows/js-ci.yml
@ -21,6 +21,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:
  conditional:
    name: Check conditional workflows and jobs
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@ -3,6 +3,9 @@ on:
  pull_request_target:
    types: closed

+permissions:
+  contents: read
+  
 jobs:
  label:

--- a/.github/workflows/operator-ci.yml
+++ b/.github/workflows/operator-ci.yml
@ -23,6 +23,9 @@ concurrency:
  group: operator-ci-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:

  conditional:
--- a/.github/workflows/quarkus-next.yml
+++ b/.github/workflows/quarkus-next.yml
@ -14,6 +14,9 @@ concurrency:
  group: quarkus-next-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+  
 jobs:
  update-quarkus-next-branch:
    name: Update quarkus-next branch
--- a/.github/workflows/schedule-nightly.yml
+++ b/.github/workflows/schedule-nightly.yml
@ -5,6 +5,9 @@ on:
    - cron: '0 0 * * *'
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:

  setup:
--- a/.github/workflows/snyk-analysis.yml
+++ b/.github/workflows/snyk-analysis.yml
@ -10,6 +10,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:
  analysis:
    name: Analysis of Quarkus and Operator
--- a/.github/workflows/trivy-analysis.yml
+++ b/.github/workflows/trivy-analysis.yml
@ -7,6 +7,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+  
 jobs:

  analysis:
--- a/.github/workflows/weblate.yml
+++ b/.github/workflows/weblate.yml
@ -22,6 +22,9 @@ concurrency:
  group: weblate-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+  
 jobs:
  update-weblate:
    name: Trigger Weblate to pull the latest changes