From 2a47e9ddf8ef52a6cd15dcce2b71571415a5d140 Mon Sep 17 00:00:00 2001 From: Timothy Messier Date: Thu, 23 Feb 2023 15:50:26 -0500 Subject: [PATCH] ci: Set permissions in workflows (#3011) --- .github/workflows/backport.yml | 3 +++ .github/workflows/check-legacy-links-format.yml | 3 +++ .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/enos-fmt.yml | 3 +++ .github/workflows/enos-run.yml | 3 +++ .github/workflows/jira.yml | 3 +++ .github/workflows/labeler.yml | 3 +++ .github/workflows/linting.yml | 3 +++ .github/workflows/make-gen-delta.yml | 3 +++ .github/workflows/milestone-checker.yml | 3 +++ .github/workflows/security-scan.yml | 3 +++ .github/workflows/test-ci-bootstrap-oss.yml | 3 +++ .github/workflows/test-ci-cleanup-oss.yml | 3 +++ .github/workflows/test-link-rewrites.yml | 3 +++ .github/workflows/test-sql.yml | 3 +++ 15 files changed, 45 insertions(+) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 33e6c6ae12..611ca008dc 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -7,6 +7,9 @@ on: - closed - labeled +permissions: + contents: read + jobs: backport: if: github.event.pull_request.merged diff --git a/.github/workflows/check-legacy-links-format.yml b/.github/workflows/check-legacy-links-format.yml index c71adef27f..d7c7172dfb 100644 --- a/.github/workflows/check-legacy-links-format.yml +++ b/.github/workflows/check-legacy-links-format.yml @@ -6,6 +6,9 @@ on: - "website/content/**/*.mdx" - "website/data/*-nav-data.json" +permissions: + contents: read + jobs: check-links: uses: hashicorp/dev-portal/.github/workflows/docs-content-check-legacy-links-format.yml@475289345d312552b745224b46895f51cc5fc490 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e8fcb22952..2b785e788e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -4,6 +4,9 @@ on: schedule: - cron: '0 15 * * 0' +permissions: + contents: read + jobs: CodeQL-Build: diff --git a/.github/workflows/enos-fmt.yml b/.github/workflows/enos-fmt.yml index e4bbfa9e0c..cbb3bf2277 100644 --- a/.github/workflows/enos-fmt.yml +++ b/.github/workflows/enos-fmt.yml @@ -6,6 +6,9 @@ on: paths: - enos/** +permissions: + contents: read + jobs: fmt_check: # Only run this workflow on pull requests from hashicorp/boundary branches diff --git a/.github/workflows/enos-run.yml b/.github/workflows/enos-run.yml index 1b42bb63b7..f0aa0f928f 100644 --- a/.github/workflows/enos-run.yml +++ b/.github/workflows/enos-run.yml @@ -13,6 +13,9 @@ on: required: true type: string +permissions: + contents: read + env: PKG_NAME: boundary diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml index e539c0d5d3..6f3dfa323f 100644 --- a/.github/workflows/jira.yml +++ b/.github/workflows/jira.yml @@ -7,6 +7,9 @@ on: types: [created] workflow_dispatch: +permissions: + contents: read + name: Jira Sync jobs: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 5065472feb..bd27bd3deb 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,6 +2,9 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + content: read + jobs: triage: runs-on: ${{ fromJSON(vars.RUNNER) }} diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 4a2ad3e31c..acf7e7f6d5 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -1,6 +1,9 @@ name: "golangci-lint" on: ["pull_request"] +permissions: + contents: read + jobs: lint: name: "Run Linter" diff --git a/.github/workflows/make-gen-delta.yml b/.github/workflows/make-gen-delta.yml index 850acd00d6..3055a49834 100644 --- a/.github/workflows/make-gen-delta.yml +++ b/.github/workflows/make-gen-delta.yml @@ -4,6 +4,9 @@ on: - push - workflow_call +permissions: + contents: read + jobs: make-gen-delta: name: "Check for uncommited changes from make gen" diff --git a/.github/workflows/milestone-checker.yml b/.github/workflows/milestone-checker.yml index 369d120369..1b0f1c3b81 100644 --- a/.github/workflows/milestone-checker.yml +++ b/.github/workflows/milestone-checker.yml @@ -11,6 +11,9 @@ on: - main - release/** +permissions: + contents: read + jobs: # checks that a milestone entry is present for a PR milestone-check: diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 3bcac3df41..6388ef2618 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -7,6 +7,9 @@ on: branches: - 'main' +permissions: + contents: read + jobs: scan: runs-on: ubuntu-latest diff --git a/.github/workflows/test-ci-bootstrap-oss.yml b/.github/workflows/test-ci-bootstrap-oss.yml index c288ef392d..daa5460372 100644 --- a/.github/workflows/test-ci-bootstrap-oss.yml +++ b/.github/workflows/test-ci-bootstrap-oss.yml @@ -1,5 +1,8 @@ name: test-ci-bootstrap-oss +permissions: + contents: read + on: pull_request: branches: diff --git a/.github/workflows/test-ci-cleanup-oss.yml b/.github/workflows/test-ci-cleanup-oss.yml index 045f0e8d73..321ac6761a 100644 --- a/.github/workflows/test-ci-cleanup-oss.yml +++ b/.github/workflows/test-ci-cleanup-oss.yml @@ -4,6 +4,9 @@ on: # * is a special character in YAML so you have to quote this string - cron: '05 02 * * *' +permissions: + contents: read + jobs: setup: if: ${{ github.event.repository.name == 'boundary' }} diff --git a/.github/workflows/test-link-rewrites.yml b/.github/workflows/test-link-rewrites.yml index 0a051dae24..3d71c0d273 100644 --- a/.github/workflows/test-link-rewrites.yml +++ b/.github/workflows/test-link-rewrites.yml @@ -2,6 +2,9 @@ name: Test Link Rewrites on: [deployment_status] +permissions: + contents: read + jobs: test-link-rewrites: if: github.event.deployment_status.state == 'success' diff --git a/.github/workflows/test-sql.yml b/.github/workflows/test-sql.yml index b4d519b7f8..ce3a21400c 100644 --- a/.github/workflows/test-sql.yml +++ b/.github/workflows/test-sql.yml @@ -5,6 +5,9 @@ on: - push - workflow_call +permissions: + contents: read + jobs: test-sql: runs-on: ${{ fromJSON(vars.RUNNER) }}