From 5006d0c5239362068a1b6a7e973f2a82093117fe Mon Sep 17 00:00:00 2001 From: Christian Date: Wed, 12 Jun 2024 10:20:51 -0500 Subject: [PATCH] Improve Workflow Permissions --- .github/workflows/on-merge-to-main.yml | 2 ++ .github/workflows/on-prerelease.yml | 5 ++--- .github/workflows/on-pullrequest-dockerfile.yml | 2 ++ .github/workflows/on-pullrequest.yml | 6 ++---- .github/workflows/on-release.yml | 2 ++ 5 files changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml index fbf57e9b..df9c22bd 100644 --- a/.github/workflows/on-merge-to-main.yml +++ b/.github/workflows/on-merge-to-main.yml @@ -9,6 +9,8 @@ on: branches: - main +permissions: read-all + env: API_URL: https://api.github.com/repos/${{ github.repository }} GITHUB_TOKEN: ${{ secrets.PAT_ATTACH_TO_RELEASE }} diff --git a/.github/workflows/on-prerelease.yml b/.github/workflows/on-prerelease.yml index f59371a5..93942882 100644 --- a/.github/workflows/on-prerelease.yml +++ b/.github/workflows/on-prerelease.yml @@ -9,6 +9,8 @@ on: types: - prereleased +permissions: read-all + env: ARTIFACTS_API_KEY: ${{ secrets.AZURE_ARTIFACTS_PERSONAL_ACCESS_TOKEN }} GITHUB_TOKEN: ${{ secrets.PAT_ATTACH_TO_RELEASE }} @@ -143,7 +145,6 @@ jobs: runs-on: ubuntu-latest needs: azure-publish permissions: - actions: read contents: write outputs: sbom-hash-code: ${{ steps.sbom-hash-code.outputs.sbom-hash-code }} @@ -191,7 +192,6 @@ jobs: needs: - sbom-create permissions: - actions: read contents: write steps: - name: Download the SBOM @@ -228,7 +228,6 @@ jobs: name: Create Provenance needs: azure-publish permissions: - actions: read id-token: write contents: write uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 diff --git a/.github/workflows/on-pullrequest-dockerfile.yml b/.github/workflows/on-pullrequest-dockerfile.yml index ff33c635..b98a198c 100644 --- a/.github/workflows/on-pullrequest-dockerfile.yml +++ b/.github/workflows/on-pullrequest-dockerfile.yml @@ -17,6 +17,8 @@ on: - "docker/*" workflow_dispatch: +permissions: read-all + jobs: docker-testing: runs-on: ubuntu-latest diff --git a/.github/workflows/on-pullrequest.yml b/.github/workflows/on-pullrequest.yml index f0e0717e..4a72955d 100644 --- a/.github/workflows/on-pullrequest.yml +++ b/.github/workflows/on-pullrequest.yml @@ -13,6 +13,8 @@ on: - ".github/**" workflow_dispatch: +permissions: read-all + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -82,8 +84,6 @@ jobs: needs: upgrade runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write steps: @@ -101,8 +101,6 @@ jobs: env: SRC_DIR: Meadowlark-js permissions: - actions: read - contents: read security-events: write steps: diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml index 2b963b5d..4f86f095 100644 --- a/.github/workflows/on-release.yml +++ b/.github/workflows/on-release.yml @@ -10,6 +10,8 @@ on: types: - released +permissions: read-all + env: ARTIFACTS_API_KEY: ${{ secrets.AZURE_ARTIFACTS_PERSONAL_ACCESS_TOKEN }} ARTIFACTS_USERNAME: ${{ vars.AZURE_ARTIFACTS_USER_NAME }}