From ecbd9e8265f54ecfa936686c44681e477f1f23cf Mon Sep 17 00:00:00 2001 From: Thibault Normand Date: Wed, 10 May 2023 14:16:09 +0200 Subject: [PATCH] chore(ci): fix GHA permissions --- .github/workflows/docker.yml | 10 ++++++---- .github/workflows/go.yml | 17 ++++++++++++++--- .github/workflows/releaser.yml | 7 ++++--- .github/workflows/security.yml | 6 +++--- 4 files changed, 27 insertions(+), 13 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b0b783e6..aba72031 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -7,15 +7,17 @@ on: description: 'Release version' required: true -permissions: - # Required to stop running workflows - actions: write - packages: write +permissions: # added using https://github.com/step-security/secure-repo + contents: read jobs: build-docker-images: name: Build Docker Images runs-on: ubuntu-latest + permissions: + # Required to stop running workflows + actions: write + packages: write steps: - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 88b6db5d..0184b220 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -21,15 +21,16 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -permissions: - # Required to stop running workflows - actions: write +permissions: # added using https://github.com/step-security/secure-repo + contents: read jobs: # Check if there any dirty change for go mod tidy go-mod: name: "Check go modules declaration" runs-on: ubuntu-latest + permissions: + actions: write steps: - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 @@ -73,6 +74,8 @@ jobs: go-version: - "1.19" - "1.20" + permissions: + actions: write runs-on: ubuntu-latest needs: [golangci-lint, go-mod] steps: @@ -123,6 +126,8 @@ jobs: golangci-lint: name: "GolangCI-lint" runs-on: ubuntu-latest + permissions: + actions: write steps: - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 @@ -160,6 +165,8 @@ jobs: name: "Tests (linux)" needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors runs-on: ubuntu-latest + permissions: + actions: write steps: - uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 @@ -208,6 +215,8 @@ jobs: name: "Tests (windows)" needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors runs-on: windows-latest + permissions: + actions: write steps: - name: Harden Runner uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 @@ -251,6 +260,8 @@ jobs: name: "Tests (darwin)" needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors runs-on: macos-latest + permissions: + actions: write steps: - name: Harden Runner uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml index 289c7bdb..903f310b 100644 --- a/.github/workflows/releaser.yml +++ b/.github/workflows/releaser.yml @@ -7,9 +7,8 @@ on: description: 'Release version' required: true -permissions: - # Required to stop running workflows - actions: write +permissions: # added using https://github.com/step-security/secure-repo + contents: read jobs: release: @@ -17,6 +16,8 @@ jobs: permissions: packages: read contents: write + actions: write + steps: - name: Harden Runner uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0 diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 81e7663a..9cc6d4ee 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -13,9 +13,8 @@ on: schedule: - cron: '30 0 1,15 * *' -permissions: - # Required to stop running workflows - actions: write +permissions: # added using https://github.com/step-security/secure-repo + contents: read jobs: trivy: @@ -26,6 +25,7 @@ jobs: contents: read security-events: write pull-requests: read + actions: write if: (github.actor != 'dependabot[bot]') steps: