From 97de5a1855a4801b6d69e80c1863abfe388ac653 Mon Sep 17 00:00:00 2001 From: Simon Thulbourn Date: Wed, 12 Feb 2025 09:18:24 +0000 Subject: [PATCH] chore(ci): update permissions --- .github/workflows/build-docs.yml | 3 +++ .github/workflows/dispatch_analytics.yml | 25 ++++++++++++------------ .github/workflows/docs.yml | 4 ++-- .github/workflows/pr_artifacts_size.yml | 4 ++++ .github/workflows/pr_build.yml | 5 ++++- .github/workflows/pr_build_v2.yml | 5 ++++- .github/workflows/pr_iac_lint.yml | 4 ++++ .github/workflows/publish.yml | 6 ++++++ .github/workflows/release-drafter.yml | 5 +++++ .github/workflows/release-prep.yml | 5 +++++ .github/workflows/run-e2e-tests-v2.yml | 3 +++ .github/workflows/run-e2e-tests.yml | 4 +++- .github/workflows/secure_workflows.yml | 5 +++-- .github/workflows/spotbugs.yml | 4 ++++ 14 files changed, 63 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml index a4ab6e7de..c61d20b09 100644 --- a/.github/workflows/build-docs.yml +++ b/.github/workflows/build-docs.yml @@ -18,6 +18,9 @@ on: - 'mkdocs.yml' - 'Makefile' +permissions: + contents: read + jobs: docs: runs-on: ubuntu-latest diff --git a/.github/workflows/dispatch_analytics.yml b/.github/workflows/dispatch_analytics.yml index c93cb5b36..d12e2ca62 100644 --- a/.github/workflows/dispatch_analytics.yml +++ b/.github/workflows/dispatch_analytics.yml @@ -7,22 +7,23 @@ on: - cron: '0 * * * *' permissions: - id-token: write - actions: read - checks: read contents: read - deployments: read - issues: read - discussions: read - packages: read - pages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read jobs: dispatch_token: + permissions: + id-token: write + actions: read + checks: read + deployments: read + issues: read + discussions: read + packages: read + pages: read + pull-requests: read + repository-projects: read + security-events: read + statuses: read concurrency: group: analytics runs-on: ubuntu-latest diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 5e37c5f45..eecf384fa 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -7,14 +7,14 @@ on: workflow_dispatch: {} permissions: - id-token: write contents: write - pages: write jobs: docs: runs-on: ubuntu-latest environment: Docs + permissions: + id-token: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set up Python diff --git a/.github/workflows/pr_artifacts_size.yml b/.github/workflows/pr_artifacts_size.yml index ab9ca9859..be0f2a727 100644 --- a/.github/workflows/pr_artifacts_size.yml +++ b/.github/workflows/pr_artifacts_size.yml @@ -23,6 +23,10 @@ on: - 'powertools-validation/**' - 'pom.xml' - '.github/workflows/pr_artifacts_size.yml' + +permissions: + contents: read + jobs: codecheck: runs-on: ubuntu-latest diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml index 634a4ee0f..b1b8581b2 100644 --- a/.github/workflows/pr_build.yml +++ b/.github/workflows/pr_build.yml @@ -45,6 +45,10 @@ on: - 'pom.xml' - 'examples/pom.xml' - '.github/workflows/**' + +permissions: + contents: read + jobs: build-corretto: runs-on: ubuntu-latest @@ -58,7 +62,6 @@ jobs: AWS_REGION: eu-west-1 permissions: id-token: write # needed to interact with GitHub's OIDC Token endpoint. - contents: read steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup java diff --git a/.github/workflows/pr_build_v2.yml b/.github/workflows/pr_build_v2.yml index 3299dc720..7f9d0fd5a 100644 --- a/.github/workflows/pr_build_v2.yml +++ b/.github/workflows/pr_build_v2.yml @@ -41,6 +41,10 @@ on: - 'pom.xml' - 'examples/pom.xml' - '.github/workflows/**' + +permissions: + contents: read + jobs: build-corretto: runs-on: ubuntu-latest @@ -54,7 +58,6 @@ jobs: AWS_REGION: eu-west-1 permissions: id-token: write # needed to interact with GitHub's OIDC Token endpoint. - contents: read steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup java diff --git a/.github/workflows/pr_iac_lint.yml b/.github/workflows/pr_iac_lint.yml index c6e17ab1c..b81dcc5eb 100644 --- a/.github/workflows/pr_iac_lint.yml +++ b/.github/workflows/pr_iac_lint.yml @@ -11,6 +11,10 @@ on: - v2 paths: - 'examples/**' + +permissions: + contents: read + jobs: linter: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 03f04e0f4..28fa6c4df 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,9 +4,15 @@ on: types: - published workflow_dispatch: {} + +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest + permissions: + id-token: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set up Maven Central Repository diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 72bd5c24f..b24e9b82e 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -6,9 +6,14 @@ on: branches: - main +permissions: + contents: read + jobs: update_release_draft: runs-on: ubuntu-latest + permissions: + id-token: write steps: - uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.23.0 env: diff --git a/.github/workflows/release-prep.yml b/.github/workflows/release-prep.yml index f7a3c74c0..942d7fce9 100644 --- a/.github/workflows/release-prep.yml +++ b/.github/workflows/release-prep.yml @@ -6,9 +6,14 @@ on: description: 'Release number to upgrade to. For example X.X.X. Follow Semantic Versioning when deciding on next version.' required: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest + permissions: + id-token: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Get current date diff --git a/.github/workflows/run-e2e-tests-v2.yml b/.github/workflows/run-e2e-tests-v2.yml index 255c89cfe..7b0adaf7e 100644 --- a/.github/workflows/run-e2e-tests-v2.yml +++ b/.github/workflows/run-e2e-tests-v2.yml @@ -27,6 +27,9 @@ on: paths: - 'powertools-e2e-tests/**' +permissions: + contents: read + jobs: e2e: runs-on: ubuntu-latest diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index 77cdea890..4e005f3e6 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -27,6 +27,9 @@ on: paths: - 'powertools-e2e-tests/**' +permissions: + contents: read + jobs: e2e: runs-on: ubuntu-latest @@ -40,7 +43,6 @@ jobs: JAVA_VERSION: ${{ matrix.java }} permissions: id-token: write # needed to interact with GitHub's OIDC Token endpoint. - contents: read steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Setup java diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml index 1430e91d6..f281b2b33 100644 --- a/.github/workflows/secure_workflows.yml +++ b/.github/workflows/secure_workflows.yml @@ -19,12 +19,13 @@ on: paths: - ".github/workflows/**" +permissions: + contents: read + jobs: enforce_pinned_workflows: name: Harden Security runs-on: ubuntu-latest - permissions: - contents: read # checkout code and subsequently GitHub action workflows steps: - name: Checkout code uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 diff --git a/.github/workflows/spotbugs.yml b/.github/workflows/spotbugs.yml index d314107fa..41174c7e2 100644 --- a/.github/workflows/spotbugs.yml +++ b/.github/workflows/spotbugs.yml @@ -19,6 +19,10 @@ on: - 'powertools-test-suite/**' - 'pom.xml' - '.github/workflows/**' + +permissions: + contents: read + jobs: codecheck: runs-on: ubuntu-latest