Improve Workflow Permissions (#357)

Ed-Fi-Exchange-OSS · Jun 12, 2024 · be6c508 · be6c508
1 parent e1b717f
commit be6c508
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 7 deletions.
diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml
@@ -9,6 +9,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 env:
   API_URL: https://api.github.com/repos/${{ github.repository }}
   GITHUB_TOKEN: ${{ secrets.PAT_ATTACH_TO_RELEASE }}

diff --git a/.github/workflows/on-prerelease.yml b/.github/workflows/on-prerelease.yml
@@ -9,6 +9,8 @@ on:
     types:
       - prereleased
 
+permissions: read-all
+
 env:
   ARTIFACTS_API_KEY: ${{ secrets.AZURE_ARTIFACTS_PERSONAL_ACCESS_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.PAT_ATTACH_TO_RELEASE }}
@@ -143,7 +145,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: azure-publish
     permissions:
-      actions: read
       contents: write
     outputs:
       sbom-hash-code: ${{ steps.sbom-hash-code.outputs.sbom-hash-code }}
@@ -191,7 +192,6 @@ jobs:
     needs:
       - sbom-create
     permissions:
-      actions: read
       contents: write
     steps:
       - name: Download the SBOM
@@ -228,7 +228,6 @@ jobs:
     name: Create Provenance
     needs: azure-publish
     permissions:
-      actions: read
       id-token: write
       contents: write
     uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/workflows/[email protected]

diff --git a/.github/workflows/on-pullrequest-dockerfile.yml b/.github/workflows/on-pullrequest-dockerfile.yml
@@ -17,6 +17,8 @@ on:
       - "docker/*"
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   docker-testing:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/on-pullrequest.yml b/.github/workflows/on-pullrequest.yml
@@ -13,6 +13,8 @@ on:
       - ".github/**"
   workflow_dispatch:
 
+permissions: read-all
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -82,8 +84,6 @@ jobs:
     needs: upgrade
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:
@@ -101,8 +101,6 @@ jobs:
     env:
       SRC_DIR: Meadowlark-js
     permissions:
-      actions: read
-      contents: read
       security-events: write
 
     steps:

diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
@@ -10,6 +10,8 @@ on:
     types:
       - released
 
+permissions: read-all
+
 env:
   ARTIFACTS_API_KEY: ${{ secrets.AZURE_ARTIFACTS_PERSONAL_ACCESS_TOKEN }}
   ARTIFACTS_USERNAME: ${{ vars.AZURE_ARTIFACTS_USER_NAME }}