From 9fcf48987f1cd6193a0af967fe0f11401c745f20 Mon Sep 17 00:00:00 2001 From: Christian <96142828+chrisgocode@users.noreply.github.com> Date: Tue, 11 Jun 2024 10:58:41 -0500 Subject: [PATCH] [PERF-324] Improve Workflow Permissions (#105) * Improve Workflow Permissions * set checks: write * removed redundant read permissions --- .github/workflows/Package_pre_release.yml | 2 ++ .github/workflows/codeql.yml | 4 ++-- .github/workflows/dependencies.yml | 4 ++-- .github/workflows/edfi_paging_test.yml | 5 +++++ .github/workflows/edfi_performance_test.yml | 5 +++++ .github/workflows/start-VM.yml | 2 ++ .github/workflows/stop-VM.yml | 2 ++ 7 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.github/workflows/Package_pre_release.yml b/.github/workflows/Package_pre_release.yml index f685aa13..6c2285cb 100644 --- a/.github/workflows/Package_pre_release.yml +++ b/.github/workflows/Package_pre_release.yml @@ -7,6 +7,8 @@ name: Package Pre-Release-Code on: workflow_dispatch: +permissions: read-all + env: PACKAGE_NAME: Suite_3_Performance_Test_Suite_Package_Pre-Release diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index f90013d1..dd8ffc12 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,6 +15,8 @@ on: branches: - main +permissions: read-all + jobs: analyze: name: Analyze Code @@ -22,8 +24,6 @@ jobs: env: SRC_DIR: src/edfi-paging-test permissions: - actions: read - contents: read security-events: write strategy: diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index 91346344..18012f2b 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -12,6 +12,8 @@ on: paths: - 'src/**' +permissions: read-all + jobs: scan-actions: name: Scan Actions @@ -21,8 +23,6 @@ jobs: name: Analyze Code Dependencies runs-on: ubuntu-latest permissions: - actions: read - contents: read security-events: write strategy: diff --git a/.github/workflows/edfi_paging_test.yml b/.github/workflows/edfi_paging_test.yml index 52f25b63..86780608 100644 --- a/.github/workflows/edfi_paging_test.yml +++ b/.github/workflows/edfi_paging_test.yml @@ -17,6 +17,8 @@ on: - main workflow_dispatch: +permissions: read-all + jobs: test-edfi-paging-test: name: Run unit, style, and type checks @@ -25,6 +27,9 @@ jobs: PACKAGE_NAME: edfi-paging-test SRC_DIR: src/edfi-paging-test LOCK_FILE: src/edfi-paging-test/poetry.lock + permissions: + checks: write + steps: - name: Checkout code uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 diff --git a/.github/workflows/edfi_performance_test.yml b/.github/workflows/edfi_performance_test.yml index 8babecaf..17095e93 100644 --- a/.github/workflows/edfi_performance_test.yml +++ b/.github/workflows/edfi_performance_test.yml @@ -17,6 +17,8 @@ on: - main workflow_dispatch: +permissions: read-all + jobs: test-edfi-performance-test: name: Run unit, style, and type checks @@ -25,6 +27,9 @@ jobs: PACKAGE_NAME: edfi-performance-test SRC_DIR: src/edfi-performance-test LOCK_FILE: src/edfi-performance-test/poetry.lock + permissions: + checks: write + steps: - name: Checkout code uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 diff --git a/.github/workflows/start-VM.yml b/.github/workflows/start-VM.yml index 9edd5ff0..eae10ed3 100644 --- a/.github/workflows/start-VM.yml +++ b/.github/workflows/start-VM.yml @@ -7,6 +7,8 @@ name: Start Azure VM on: workflow_dispatch: +permissions: read-all + env: AzureADServicePrincipalPassword: ${{ secrets.AZURE_SERVICE_PRINCIPAL_PASSWORD }} AzureADApplicationId: ${{ vars.AZURE_SERVICE_APPLICATION_ID }} diff --git a/.github/workflows/stop-VM.yml b/.github/workflows/stop-VM.yml index 96fe9fbe..31f42e60 100644 --- a/.github/workflows/stop-VM.yml +++ b/.github/workflows/stop-VM.yml @@ -7,6 +7,8 @@ name: Stop Azure VM on: workflow_dispatch: +permissions: read-all + env: AzureADServicePrincipalPassword: ${{ secrets.AZURE_SERVICE_PRINCIPAL_PASSWORD }} AzureADApplicationId: ${{ vars.AZURE_SERVICE_APPLICATION_ID }}