ci: Set permissions in workflows (#3011)

3 years ago · 2a47e9ddf8
parent 86214a85e1
commit 2a47e9ddf8
15 changed files with 45 additions and 0 deletions
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@ -7,6 +7,9 @@ on:
      - closed
      - labeled

+permissions:
+  contents: read
+
 jobs:
  backport:
    if: github.event.pull_request.merged
--- a/.github/workflows/check-legacy-links-format.yml
+++ b/.github/workflows/check-legacy-links-format.yml
@ -6,6 +6,9 @@ on:
      - "website/content/**/*.mdx"
      - "website/data/*-nav-data.json"

+permissions:
+  contents: read
+
 jobs:
  check-links:
    uses: hashicorp/dev-portal/.github/workflows/docs-content-check-legacy-links-format.yml@475289345d312552b745224b46895f51cc5fc490
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -4,6 +4,9 @@ on:
  schedule:
    - cron: '0 15 * * 0'

+permissions:
+  contents: read
+
 jobs:
  CodeQL-Build:

--- a/.github/workflows/enos-fmt.yml
+++ b/.github/workflows/enos-fmt.yml
@ -6,6 +6,9 @@ on:
    paths:
      - enos/**

+permissions:
+  contents: read
+
 jobs:
  fmt_check:
    # Only run this workflow on pull requests from hashicorp/boundary branches
--- a/.github/workflows/enos-run.yml
+++ b/.github/workflows/enos-run.yml
@ -13,6 +13,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 env:
  PKG_NAME: boundary

--- a/.github/workflows/jira.yml
+++ b/.github/workflows/jira.yml
@ -7,6 +7,9 @@ on:
    types: [created]
  workflow_dispatch:

+permissions:
+  contents: read
+
 name: Jira Sync

 jobs:
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@ -2,6 +2,9 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target

+permissions:
+  content: read
+
 jobs:
  triage:
    runs-on: ${{ fromJSON(vars.RUNNER) }}
--- a/.github/workflows/linting.yml
+++ b/.github/workflows/linting.yml
@ -1,6 +1,9 @@
 name: "golangci-lint"
 on: ["pull_request"]

+permissions:
+  contents: read
+
 jobs:
  lint:
    name: "Run Linter"
--- a/.github/workflows/make-gen-delta.yml
+++ b/.github/workflows/make-gen-delta.yml
@ -4,6 +4,9 @@ on:
  - push
  - workflow_call

+permissions:
+  contents: read
+
 jobs:
  make-gen-delta:
    name: "Check for uncommited changes from make gen"
--- a/.github/workflows/milestone-checker.yml
+++ b/.github/workflows/milestone-checker.yml
@ -11,6 +11,9 @@ on:
      - main
      - release/**

+permissions:
+  contents: read
+
 jobs:
  # checks that a milestone entry is present for a PR
  milestone-check:
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@ -7,6 +7,9 @@ on:
    branches:
      - 'main'

+permissions:
+  contents: read
+
 jobs:
  scan:
    runs-on: ubuntu-latest
--- a/.github/workflows/test-ci-bootstrap-oss.yml
+++ b/.github/workflows/test-ci-bootstrap-oss.yml
@ -1,5 +1,8 @@
 name: test-ci-bootstrap-oss

+permissions:
+  contents: read
+
 on:
  pull_request:
    branches:
--- a/.github/workflows/test-ci-cleanup-oss.yml
+++ b/.github/workflows/test-ci-cleanup-oss.yml
@ -4,6 +4,9 @@ on:
    # * is a special character in YAML so you have to quote this string
    - cron:  '05 02 * * *'

+permissions:
+  contents: read
+
 jobs:
  setup:
    if: ${{ github.event.repository.name == 'boundary' }}
--- a/.github/workflows/test-link-rewrites.yml
+++ b/.github/workflows/test-link-rewrites.yml
@ -2,6 +2,9 @@ name: Test Link Rewrites

 on: [deployment_status]

+permissions:
+  contents: read
+
 jobs:
  test-link-rewrites:
    if: github.event.deployment_status.state == 'success'
--- a/.github/workflows/test-sql.yml
+++ b/.github/workflows/test-sql.yml
@ -5,6 +5,9 @@ on:
  - push
  - workflow_call

+permissions:
+  contents: read
+
 jobs:
  test-sql:
    runs-on: ${{ fromJSON(vars.RUNNER) }}