chore(ci): sets base permissions on all workflows (#1801)

sthulb · web-flow · commit 17f9ab067bd2 · 2023-11-29T09:25:26.000+01:00
adds pull requests write permission

add permissions for packages, id-token

add permissions

add permissions

all the permissions!
diff --git a/.github/workflows/closed-issues-message.yml b/.github/workflows/closed-issues-message.yml
@@ -2,9 +2,15 @@ name: Closed Issue Message
 on:
   issues:
     types: [closed]
+
+permissions:
+  contents: read
+
 jobs:
   auto_comment:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
       - uses: aws-actions/closed-issue-message@36b7048ea77bb834d16e7a7c5b5471ac767a4ca1 # v1.0.0
         with:
diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     # Guardrails to only ever run if PR recording workflow was indeed
@@ -18,6 +21,8 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   label_pr:
+    permissions:
+      pull-requests: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/make-release.yml b/.github/workflows/make-release.yml
@@ -1,6 +1,10 @@
 name: Make Release
 on:
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 concurrency:
   group: on-release-publish
 jobs:
diff --git a/.github/workflows/make-v2-release.yml b/.github/workflows/make-v2-release.yml
@@ -1,6 +1,10 @@
 name: Make Release v2 (pre-release)
 on:
   workflow_dispatch: {}
+
+permissions:
+  contents: read
+
 concurrency:
   group: on-release-publish
 jobs:
diff --git a/.github/workflows/measure-packages-size.yml b/.github/workflows/measure-packages-size.yml
@@ -7,8 +7,13 @@ on:
         description: "PR Number"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   measure-utils-sizes:
+    permissions:
+        pull-requests: write
     runs-on: ubuntu-latest
     env:
       NODE_ENV: dev
diff --git a/.github/workflows/on-doc-v2-merge.yml b/.github/workflows/on-doc-v2-merge.yml
@@ -8,6 +8,9 @@ on:
       - "docs/**"
       - "mkdocs.yml"
 
+permissions:
+  contents: read
+  
 jobs:
   release-docs:
     permissions:
diff --git a/.github/workflows/on-merge-to-main.yml b/.github/workflows/on-merge-to-main.yml
@@ -5,12 +5,18 @@ on:
     workflows: ["Record PR details"]
     types:
       - completed
+
 concurrency:
   group: on-merge-to-main
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success'
+    permissions:
+      pull-requests: read
     uses: ./.github/workflows/reusable_export_pr_details.yml
     with:
       record_pr_workflow_id: ${{ github.event.workflow_run.id }}
@@ -22,6 +28,8 @@ jobs:
     if: ${{ needs.get_pr_details.outputs.prIsMerged == 'true' }}
     uses: ./.github/workflows/reusable-run-linting-check-and-unit-tests.yml
   update-release-draft:
+    permissions:
+      contents: write
     needs: run-unit-tests
     runs-on: ubuntu-latest
     steps:
@@ -32,6 +40,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   release_label_on_merge:
+    permissions:
+      pull-requests: read
+      contents: write
     needs: [get_pr_details, update-release-draft]
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/on-workflows-push-pr.yml b/.github/workflows/on-workflows-push-pr.yml
@@ -8,10 +8,15 @@ on:
     paths:
       - ".github/workflows/**"
 
+permissions:
+  contents: read
+
 jobs:
   enforce_pinned_workflows:
     name: Harden Security
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Checkout code
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3.5.2
diff --git a/.github/workflows/on_doc_merge.yml b/.github/workflows/on_doc_merge.yml
@@ -8,6 +8,9 @@ on:
       - "docs/**"
       - "mkdocs.yml"
 
+permissions:
+  contents: read
+
 jobs:
   release-docs:
     permissions:
diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
@@ -16,6 +19,9 @@ jobs:
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}
   check_related_issue:
+    permissions:
+      issues: read
+      pull-requests: write
     needs: get_pr_details
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
@@ -12,6 +12,9 @@ on:
   release:
     types: [released]
 
+permissions:
+  contents: read
+
 jobs:
   post_release:
     permissions:
diff --git a/.github/workflows/pr-run-linting-check-and-unit-tests.yml b/.github/workflows/pr-run-linting-check-and-unit-tests.yml
@@ -3,6 +3,10 @@ name: On PR code update
 on:
   pull_request:
     types: [opened, synchronize]
+
+permissions:
+  contents: read
+
 jobs:
   run-unit-tests:
     uses: ./.github/workflows/reusable-run-linting-check-and-unit-tests.yml
diff --git a/.github/workflows/rebuild-latest-docs.yml b/.github/workflows/rebuild-latest-docs.yml
@@ -13,6 +13,9 @@ on:
         description: "Latest npm published version to rebuild latest docs for, e.g. 1.6.0"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   release-docs:
     permissions:
diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [opened, edited, closed]
 
+permissions:
+  contents: read
+
 jobs:
   record_pr:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable-run-linting-check-and-unit-tests.yml b/.github/workflows/reusable-run-linting-check-and-unit-tests.yml
@@ -3,6 +3,9 @@ name: Run unit tests
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   run-linting-check-and-unit-tests-on-utilities:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/reusable_deploy_layer_stack.yml b/.github/workflows/reusable_deploy_layer_stack.yml
@@ -1,9 +1,5 @@
 name: Deploy cdk stack
 
-permissions:
-  id-token: write
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -23,9 +19,13 @@ on:
       target-account-role:
         required: true
 
+permissions:
+  contents: read
 
 jobs:
   deploy-cdk-stack:
+    permissions:
+      id-token: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml
@@ -33,10 +33,15 @@ on:
         description: "Whether PR is merged"
         value: ${{ jobs.export_pr_details.outputs.prIsMerged }}
 
+permissions:
+  contents: read
+
 jobs:
   export_pr_details:
     # see https://github.com/aws-powertools/powertools-lambda-python/issues/1349
     if: inputs.workflow_origin == 'aws-powertools/powertools-lambda-typescript'
+    permissions:
+      pull-requests: read
     runs-on: ubuntu-latest
     env:
       FILENAME: pr.txt
diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
@@ -8,6 +8,9 @@ on:
         required: false
         default: ''
 
+permissions:
+  contents: read
+
 jobs:
   run-e2e-tests-on-utils:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale-issues.yml b/.github/workflows/stale-issues.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   check-issues:
     runs-on: ubuntu-latest
