Skip to content

Commit 84e8d7d

Browse files
DerekRobertsDerekRoberts
authored
chore(ci): least privilege workflow permissions (#570)
1 parent 44ec92a commit 84e8d7d

7 files changed

Lines changed: 45 additions & 1 deletion

File tree

.github/workflows/.deploy.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,11 +50,15 @@ on:
5050
required: false
5151
type: string
5252

53+
permissions: {}
54+
5355
jobs:
5456
deploys:
5557
name: Helm
5658
environment: ${{ inputs.environment }}
5759
runs-on: ubuntu-24.04
60+
permissions:
61+
contents: read
5862
timeout-minutes: ${{ inputs.timeout-minutes }}
5963
steps:
6064
- uses: actions/checkout@v6

.github/workflows/.tests.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,14 @@ on:
99
required: true
1010
type: string
1111

12+
permissions: {}
13+
1214
jobs:
1315
cypress-e2e:
1416
name: Cypress E2E
1517
runs-on: ubuntu-24.04
18+
permissions:
19+
contents: read
1620
strategy:
1721
matrix:
1822
browser: [chrome]

.github/workflows/analysis.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,17 @@ concurrency:
1414
group: ${{ github.workflow }}-${{ github.ref }}
1515
cancel-in-progress: true
1616

17+
permissions: {}
18+
1719
jobs:
1820
# https://github.com/marketplace/actions/aqua-security-trivy
1921
trivy:
2022
name: Trivy Security Scan
2123
if: github.event_name != 'pull_request' || !github.event.pull_request.draft
2224
runs-on: ubuntu-24.04
25+
permissions:
26+
contents: read
27+
security-events: write
2328
steps:
2429
- uses: actions/checkout@v6
2530

.github/workflows/merge.yml

Lines changed: 14 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ concurrency:
1010
group: ${{ github.workflow }}
1111
cancel-in-progress: true
1212

13+
permissions: {}
14+
1315
jobs:
1416
semantic-version:
1517
outputs:
@@ -18,6 +20,8 @@ jobs:
1820
clean_changelog: ${{ steps.changelog.outputs.clean_changelog }}
1921
runs-on: ubuntu-24.04
2022
timeout-minutes: 1
23+
permissions:
24+
contents: write # write implies read; needed for git-push and checkout
2125
steps:
2226
- uses: actions/checkout@v6
2327
- name: Conventional Changelog Update
@@ -34,6 +38,8 @@ jobs:
3438
retag-images:
3539
needs: [semantic-version]
3640
runs-on: ubuntu-24.04
41+
permissions:
42+
packages: write
3743
strategy:
3844
matrix:
3945
package: [api, database, frontend]
@@ -47,10 +53,11 @@ jobs:
4753
tags: |
4854
${{ needs.semantic-version.outputs.semanticVersion }}
4955
${{ needs.semantic-version.outputs.tag }}
50-
5156
deploys:
5257
name: TEST Deployments
5358
needs: [retag-images, semantic-version]
59+
permissions:
60+
contents: read
5461
uses: ./.github/workflows/.deploy.yml
5562
secrets: inherit
5663
with:
@@ -62,13 +69,17 @@ jobs:
6269
tests:
6370
name: Tests
6471
needs: [deploys]
72+
permissions:
73+
contents: read
6574
uses: ./.github/workflows/.tests.yml
6675
with:
6776
target: test
6877

6978
deploys-prod:
7079
name: PROD Deployments
7180
needs: [semantic-version, tests]
81+
permissions:
82+
contents: read
7283
uses: ./.github/workflows/.deploy.yml
7384
secrets: inherit
7485
with:
@@ -81,6 +92,8 @@ jobs:
8192
name: Create Release
8293
needs: [semantic-version, deploys-prod]
8394
runs-on: ubuntu-24.04
95+
permissions:
96+
contents: write
8497
steps:
8598
- name: Create Release
8699
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2

.github/workflows/pr-close.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ concurrency:
99
group: ${{ github.workflow }}-${{ github.ref }}
1010
cancel-in-progress: true
1111

12+
permissions: {}
13+
1214
jobs:
1315
cleanup:
1416
name: Cleanup and Image Promotion

.github/workflows/pr-open.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ concurrency:
99
group: ${{ github.workflow }}-${{ github.ref }}
1010
cancel-in-progress: true
1111

12+
permissions: {}
13+
1214
jobs:
1315
pr-greeting:
1416
name: PR Greeting
@@ -39,6 +41,7 @@ jobs:
3941
name: Builds
4042
runs-on: ubuntu-24.04
4143
permissions:
44+
contents: read
4245
attestations: write
4346
id-token: write
4447
packages: write
@@ -64,6 +67,8 @@ jobs:
6467
deploys:
6568
name: Deploys
6669
needs: [builds]
70+
permissions:
71+
contents: read
6772
uses: ./.github/workflows/.deploy.yml
6873
secrets: inherit
6974
with:
@@ -90,6 +95,8 @@ jobs:
9095
tests:
9196
name: Tests
9297
needs: [deploys]
98+
permissions:
99+
contents: read
93100
uses: ./.github/workflows/.tests.yml
94101
with:
95102
target: ${{ github.event.number }}

.github/workflows/scheduled.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,14 @@ concurrency:
1313
group: ${{ github.workflow }}
1414
cancel-in-progress: true
1515

16+
permissions: {}
17+
1618
jobs:
1719
pubcode-crawler:
1820
name: Crawl Git Repos for bcgovpubcode.yml
1921
runs-on: ubuntu-24.04
22+
permissions:
23+
contents: read
2024
environment: prod
2125
defaults:
2226
run:
@@ -59,6 +63,9 @@ jobs:
5963
validate-ministry-list:
6064
name: Validate Ministry List in the pubcode schema.
6165
runs-on: ubuntu-24.04
66+
permissions:
67+
contents: write
68+
pull-requests: write
6269
defaults:
6370
run:
6471
working-directory: schema/script
@@ -101,6 +108,8 @@ jobs:
101108
soft-delete-removed-pubcodes:
102109
name: Soft Delete pubcodes In the Databse which are removed from the repo.
103110
runs-on: ubuntu-24.04
111+
permissions:
112+
contents: read
104113
defaults:
105114
run:
106115
working-directory: utilities/remove-deleted-pubcode

0 commit comments

Comments
 (0)