Minimal GitHub Action token permissions. (#1104)

Signed-off-by: Fabian Kammel <[email protected]>
edgelesssys · Jan 30, 2023 · 48c8a66 · 48c8a66
1 parent 32848db
commit 48c8a66
Show file tree

Hide file tree

Showing 9 changed files with 55 additions and 15 deletions.
diff --git a/.github/actions/build_micro_service/action.yml b/.github/actions/build_micro_service/action.yml
@@ -1,3 +1,8 @@
+# Required permissions:
+#
+# permissions:
+#   packages: write # for docker/build-push-action
+#
 name: Build micro service
 description: Build and upload a container image for a Constellation micro-service
 inputs:

diff --git a/.github/workflows/azure-snp-reporter.yml b/.github/workflows/azure-snp-reporter.yml
@@ -8,6 +8,8 @@ jobs:
   build-snp-reporter:
     name: "Build SNP-reporter container"
     runs-on: ubuntu-22.04
+    permissions:
+      packages: write
     steps:
       - name: Checkout
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

diff --git a/.github/workflows/build-os-image-scheduled.yml b/.github/workflows/build-os-image-scheduled.yml
@@ -34,6 +34,10 @@ jobs:
   build-image:
     needs: stream
     uses: ./.github/workflows/build-os-image.yml
+    permissions:
+      id-token: write
+      contents: read
+      packages: read
     secrets: inherit
     with:
       stream: ${{ needs.stream.outputs.stream }}

diff --git a/.github/workflows/build-os-image.yml b/.github/workflows/build-os-image.yml
@@ -774,6 +774,9 @@ jobs:
     needs: [upload-image-lookup-table, build-settings]
     name: "Add version to versionsapi"
     if: needs.build-settings.outputs.ref != '-'
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/versionsapi.yml
     with:
       command: add

diff --git a/.github/workflows/e2e-mini.yml b/.github/workflows/e2e-mini.yml
@@ -14,14 +14,13 @@ on:
         description: "Git ref to checkout"
         required: true
 
-permissions:
-  id-token: write
-  contents: read
-
 jobs:
   e2e-mini:
     runs-on: ubuntu-22.04
     environment: e2e
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout
         id: checkout

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -60,6 +60,8 @@ jobs:
     runs-on: ubuntu-22.04
     if: inputs.kind == 'minor'
     needs: verify-inputs
+    permissions:
+      contents: write
     env:
       VERSION: ${{ inputs.version }}
       MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
@@ -94,6 +96,8 @@ jobs:
     name: Prepare release branch
     runs-on: ubuntu-22.04
     needs: verify-inputs
+    permissions:
+      contents: write
     env:
       BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
     steps:
@@ -114,6 +118,9 @@ jobs:
     name: Build micro services
     needs: [verify-inputs, prepare-release-branch]
     uses: ./.github/workflows/build-micro-service-manual.yml
+    permissions:
+      contents: read
+      packages: write
     secrets: inherit
     strategy:
       matrix:
@@ -131,6 +138,9 @@ jobs:
     needs: [verify-inputs, prepare-release-branch]
     secrets: inherit
     uses: ./.github/workflows/build-operator-manual.yml
+    permissions:
+      contents: read
+      packages: write
     with:
       imageTag: ${{ inputs.version }}
       ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@@ -140,6 +150,8 @@ jobs:
     name: Update container image versions
     needs: [verify-inputs, micro-services, constellation-node-operator]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     env:
       VERSION: ${{ inputs.version }}
       WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
@@ -199,6 +211,10 @@ jobs:
     name: Build OS image
     needs: [verify-inputs, update-versions]
     uses: ./.github/workflows/build-os-image.yml
+    permissions:
+      id-token: write
+      contents: read
+      packages: read
     secrets: inherit
     with:
       imageVersion: ${{ inputs.version }}
@@ -210,6 +226,9 @@ jobs:
     name: Generate OS image measurements
     needs: [verify-inputs, os-image]
     uses: ./.github/workflows/generate-measurements.yml
+    permissions:
+      id-token: write
+      contents: read
     secrets: inherit
     with:
       osImage: ${{ inputs.version }}
@@ -221,6 +240,8 @@ jobs:
   update-hardcoded-measurements:
     name: Update hardcoded measurements (in the CLI)
     needs: [verify-inputs, generate-measurements]
+    permissions:
+      contents: write
     runs-on: ubuntu-22.04
     env:
       VERSION: ${{ inputs.version }}
@@ -263,6 +284,9 @@ jobs:
         runner: [ubuntu-22.04, macos-12]
         csp: [aws, azure, gcp]
     uses: ./.github/workflows/e2e-test-manual.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       workerNodesCount: 2
       controlNodesCount: 3
@@ -279,6 +303,9 @@ jobs:
     name: Run E2E tests for mini Constellation
     needs: [verify-inputs, update-hardcoded-measurements]
     uses: ./.github/workflows/e2e-mini.yml
+    permissions:
+      id-token: write
+      contents: read
     secrets: inherit
     with:
       ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@@ -287,6 +314,8 @@ jobs:
     name: Tag release
     needs: [verify-inputs, e2e-tests, e2e-mini]
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     env:
       VERSION: ${{ inputs.version }}
     steps:
@@ -306,6 +335,10 @@ jobs:
     name: Draft release (CLI)
     needs: [verify-inputs, tag-release]
     uses: ./.github/workflows/release-cli.yml
+    permissions:
+      actions: read
+      contents: write
+      id-token: write
     secrets: inherit
     with:
       ref: "refs/tags/${{ inputs.version }}"
@@ -314,6 +347,8 @@ jobs:
     name: PR to Merge changes from release branch into main
     if: inputs.kind == 'minor'
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     needs: [verify-inputs, tag-release]
     env:
       VERSION: ${{ inputs.version }}

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -6,8 +6,6 @@ on:
     branches:
       - main
 
-permissions: read-all
-
 jobs:
   analysis:
     name: Scorecard analysis

diff --git a/.github/workflows/test-lint.yml b/.github/workflows/test-lint.yml
@@ -18,11 +18,6 @@ on:
       - "**/go.sum"
       - "./github/workflows/test-lint.yml"
 
-permissions:
-  contents: read
-  # Allow read access to pull request. Use with `only-new-issues` option.
-  pull-requests: read
-
 jobs:
   golangci:
     name: lint

diff --git a/.github/workflows/test-tfsec.yml b/.github/workflows/test-tfsec.yml
@@ -14,14 +14,13 @@ on:
       - "**.tf"
       - "./github/workflows/test-tfsec.yml"
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   tfsec:
     name: tfsec
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0