From 11ea6389ea49a0e673dd4141ee53837ee2db2aaf Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:18:06 -0800 Subject: [PATCH 01/10] fix(github-123): enforce least privilege workflow permissions per copilot.md --- .github/workflows/.deploy.yml | 4 ++++ .github/workflows/.tests.yml | 4 ++++ .github/workflows/analysis.yml | 4 ++++ .github/workflows/merge.yml | 4 ++++ .github/workflows/scheduled.yml | 4 ++++ 5 files changed, 20 insertions(+) diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml index e66a9bb..6759a86 100644 --- a/.github/workflows/.deploy.yml +++ b/.github/workflows/.deploy.yml @@ -23,6 +23,9 @@ on: required: false type: string +permissions: + contents: read + ### Usually a bad idea / not recommended directory: description: "Chart directory" @@ -117,3 +120,4 @@ jobs: # Remove old build runs, build pods and deployment pods oc delete po --field-selector=status.phase==Succeeded +permissions: {} diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index 01e7781..2bf5a62 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -9,6 +9,9 @@ on: required: true type: string +permissions: + contents: read + jobs: cypress-e2e: name: Cypress E2E @@ -30,3 +33,4 @@ jobs: name: cypress-screenshots path: ./frontend/cypress/screenshots if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn` +permissions: {} diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 0238d15..497733c 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: # https://github.com/marketplace/actions/aqua-security-trivy trivy: @@ -37,3 +40,4 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: "trivy-results.sarif" +permissions: {} diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 0ca0dec..82809e3 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true +permissions: + contents: read + jobs: semantic-version: outputs: @@ -47,6 +50,7 @@ jobs: tags: | ${{ needs.semantic-version.outputs.semanticVersion }} ${{ needs.semantic-version.outputs.tag }} +permissions: {} deploys: name: TEST Deployments diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index c4f9233..3a904d5 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -13,6 +13,9 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true +permissions: + contents: read + jobs: pubcode-crawler: name: Crawl Git Repos for bcgovpubcode.yml @@ -136,3 +139,4 @@ jobs: API_KEY=$(oc get secrets/pubcode --template={{.data.API_KEY}} | base64 -d) API_URL=https://$(oc get route/pubcode-api --template={{.spec.host}}) API_KEY="${API_KEY}" API_URL="${API_URL}" node index.js +permissions: {} From 7443bd19103f844e8e14ac1b4aac084b6059ed6c Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:20:11 -0800 Subject: [PATCH 02/10] fix(github-123): update workflow permissions to match bcgov/quickstart-openshift example --- .github/workflows/.deploy.yml | 3 +-- .github/workflows/.tests.yml | 3 +-- .github/workflows/analysis.yml | 3 +-- .github/workflows/merge.yml | 3 +-- .github/workflows/scheduled.yml | 3 +-- 5 files changed, 5 insertions(+), 10 deletions(-) diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml index 6759a86..0168369 100644 --- a/.github/workflows/.deploy.yml +++ b/.github/workflows/.deploy.yml @@ -23,8 +23,7 @@ on: required: false type: string -permissions: - contents: read +permissions: {} ### Usually a bad idea / not recommended directory: diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index 2bf5a62..4b88450 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -9,8 +9,7 @@ on: required: true type: string -permissions: - contents: read +permissions: {} jobs: cypress-e2e: diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 497733c..95c2415 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -14,8 +14,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: # https://github.com/marketplace/actions/aqua-security-trivy diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 82809e3..aed165c 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -10,8 +10,7 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: semantic-version: diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index 3a904d5..e89d496 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -13,8 +13,7 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: pubcode-crawler: From b9d4c6e89b90ff09157918fe94b1df9783c541d8 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:24:04 -0800 Subject: [PATCH 03/10] fix(github-123): restore required job-level permissions for workflow correctness --- .github/workflows/merge.yml | 2 -- .github/workflows/pr-close.yml | 2 ++ .github/workflows/pr-open.yml | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index aed165c..c96d8b0 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -49,8 +49,6 @@ jobs: tags: | ${{ needs.semantic-version.outputs.semanticVersion }} ${{ needs.semantic-version.outputs.tag }} -permissions: {} - deploys: name: TEST Deployments needs: [retag-images, semantic-version] diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml index 62b5b23..bf5fdbb 100644 --- a/.github/workflows/pr-close.yml +++ b/.github/workflows/pr-close.yml @@ -13,6 +13,8 @@ jobs: cleanup: name: Cleanup and Image Promotion uses: bcgov/quickstart-openshift-helpers/.github/workflows/.pr-close.yml@6d695dd755fa9255ea4bde335890516beb6f95e4 # v1.0.1 + permissions: + packages: write permissions: packages: write secrets: diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 618495c..cc35306 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -16,6 +16,8 @@ jobs: DOMAIN: apps.silver.devops.gov.bc.ca PREFIX: ${{ github.event.repository.name }}-${{ github.event.number }} runs-on: ubuntu-24.04 + permissions: + pull-requests: write permissions: pull-requests: write steps: @@ -38,6 +40,10 @@ jobs: builds: name: Builds runs-on: ubuntu-24.04 + permissions: + attestations: write + id-token: write + packages: write permissions: attestations: write id-token: write From de70b713398f2001c024529c0230ae1349bf0e59 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:38:32 -0800 Subject: [PATCH 04/10] fix(github-123): restore correct workflow permissions per quickstart-openshift example --- .github/workflows/pr-close.yml | 2 ++ .github/workflows/pr-open.yml | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml index bf5fdbb..0b7577f 100644 --- a/.github/workflows/pr-close.yml +++ b/.github/workflows/pr-close.yml @@ -17,6 +17,8 @@ jobs: packages: write permissions: packages: write + permissions: + packages: write secrets: oc_namespace: ${{ vars.OC_NAMESPACE }} oc_token: ${{ secrets.OC_TOKEN }} diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index cc35306..4db4250 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -20,6 +20,8 @@ jobs: pull-requests: write permissions: pull-requests: write + permissions: + pull-requests: write steps: - name: PR Greeting uses: bcgov/action-pr-description-add@9bf88aec33edb7c00ed72f9305aa1721d0cdab9f # v2.0.3 @@ -48,6 +50,10 @@ jobs: attestations: write id-token: write packages: write + permissions: + attestations: write + id-token: write + packages: write strategy: matrix: package: [api, database, frontend] From 86d88cd3b8ff36551cb4f2954de0cbbe9aef904b Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:41:29 -0800 Subject: [PATCH 05/10] fix(github-123): enforce canonical least-privilege job permissions per quickstart-openshift --- .github/workflows/.deploy.yml | 1 - .github/workflows/.tests.yml | 1 - .github/workflows/analysis.yml | 1 - .github/workflows/pr-close.yml | 4 ---- .github/workflows/pr-open.yml | 12 ------------ .github/workflows/scheduled.yml | 1 - 6 files changed, 20 deletions(-) diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml index 0168369..3f7831a 100644 --- a/.github/workflows/.deploy.yml +++ b/.github/workflows/.deploy.yml @@ -119,4 +119,3 @@ jobs: # Remove old build runs, build pods and deployment pods oc delete po --field-selector=status.phase==Succeeded -permissions: {} diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index 4b88450..0e42ff6 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -32,4 +32,3 @@ jobs: name: cypress-screenshots path: ./frontend/cypress/screenshots if-no-files-found: ignore # 'warn' or 'error' are also available, defaults to `warn` -permissions: {} diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 95c2415..59845af 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -39,4 +39,3 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: "trivy-results.sarif" -permissions: {} diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml index 0b7577f..62b5b23 100644 --- a/.github/workflows/pr-close.yml +++ b/.github/workflows/pr-close.yml @@ -13,10 +13,6 @@ jobs: cleanup: name: Cleanup and Image Promotion uses: bcgov/quickstart-openshift-helpers/.github/workflows/.pr-close.yml@6d695dd755fa9255ea4bde335890516beb6f95e4 # v1.0.1 - permissions: - packages: write - permissions: - packages: write permissions: packages: write secrets: diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 4db4250..618495c 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -16,10 +16,6 @@ jobs: DOMAIN: apps.silver.devops.gov.bc.ca PREFIX: ${{ github.event.repository.name }}-${{ github.event.number }} runs-on: ubuntu-24.04 - permissions: - pull-requests: write - permissions: - pull-requests: write permissions: pull-requests: write steps: @@ -42,14 +38,6 @@ jobs: builds: name: Builds runs-on: ubuntu-24.04 - permissions: - attestations: write - id-token: write - packages: write - permissions: - attestations: write - id-token: write - packages: write permissions: attestations: write id-token: write diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index e89d496..6d30f75 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -138,4 +138,3 @@ jobs: API_KEY=$(oc get secrets/pubcode --template={{.data.API_KEY}} | base64 -d) API_URL=https://$(oc get route/pubcode-api --template={{.spec.host}}) API_KEY="${API_KEY}" API_URL="${API_URL}" node index.js -permissions: {} From 705f8c032e0f9273e0e24d959ba2939e979fe412 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:46:24 -0800 Subject: [PATCH 06/10] fix(github-123): add top-level permissions blocks to resolve CodeQL workflow alerts --- .github/workflows/.deploy.yml | 1 + .github/workflows/.tests.yml | 1 + .github/workflows/analysis.yml | 1 + .github/workflows/merge.yml | 1 + .github/workflows/pr-open.yml | 1 + .github/workflows/scheduled.yml | 1 + 6 files changed, 6 insertions(+) diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml index 3f7831a..a31eb09 100644 --- a/.github/workflows/.deploy.yml +++ b/.github/workflows/.deploy.yml @@ -1,3 +1,4 @@ +permissions: {} name: .Deploys on: diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index 0e42ff6..b2d0fab 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -1,3 +1,4 @@ +permissions: {} name: .Tests on: diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 59845af..4977cf3 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -1,3 +1,4 @@ +permissions: {} name: Analysis on: diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index c96d8b0..53ee240 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -1,3 +1,4 @@ +permissions: {} name: Merge to Main on: diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 618495c..88e9cff 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -1,3 +1,4 @@ +permissions: {} name: Pull Request on: diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index 6d30f75..b662f4a 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -1,3 +1,4 @@ +permissions: {} name: Schedule Jobs on: From 1e8ac5b9302e205201031d86326a7c9e0df3517f Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:47:13 -0800 Subject: [PATCH 07/10] fix(github-123): remove duplicate permissions blocks, enforce single top-level and correct job-level permissions --- .github/workflows/.deploy.yml | 2 -- .github/workflows/.tests.yml | 2 -- .github/workflows/analysis.yml | 2 -- .github/workflows/merge.yml | 2 -- .github/workflows/scheduled.yml | 2 -- 5 files changed, 10 deletions(-) diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml index a31eb09..16a687a 100644 --- a/.github/workflows/.deploy.yml +++ b/.github/workflows/.deploy.yml @@ -24,8 +24,6 @@ on: required: false type: string -permissions: {} - ### Usually a bad idea / not recommended directory: description: "Chart directory" diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index b2d0fab..8ccacc8 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -10,8 +10,6 @@ on: required: true type: string -permissions: {} - jobs: cypress-e2e: name: Cypress E2E diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 4977cf3..84952ed 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -15,8 +15,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: {} - jobs: # https://github.com/marketplace/actions/aqua-security-trivy trivy: diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 53ee240..862417e 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -11,8 +11,6 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true -permissions: {} - jobs: semantic-version: outputs: diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index b662f4a..99506dc 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -14,8 +14,6 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true -permissions: {} - jobs: pubcode-crawler: name: Crawl Git Repos for bcgovpubcode.yml From 843b03e75c8f97f8127c2dec2f610de2a96dcc18 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 11:53:17 -0800 Subject: [PATCH 08/10] fix(github-123): move permissions to correct position, add job-level only where elevation needed --- .github/workflows/.deploy.yml | 3 ++- .github/workflows/.tests.yml | 3 ++- .github/workflows/analysis.yml | 5 ++++- .github/workflows/merge.yml | 9 ++++++++- .github/workflows/pr-close.yml | 2 ++ .github/workflows/pr-open.yml | 3 ++- .github/workflows/scheduled.yml | 6 +++++- 7 files changed, 25 insertions(+), 6 deletions(-) diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml index 16a687a..7ed2b26 100644 --- a/.github/workflows/.deploy.yml +++ b/.github/workflows/.deploy.yml @@ -1,4 +1,3 @@ -permissions: {} name: .Deploys on: @@ -51,6 +50,8 @@ on: required: false type: string +permissions: {} + jobs: deploys: name: Helm diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index 8ccacc8..0e42ff6 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -1,4 +1,3 @@ -permissions: {} name: .Tests on: @@ -10,6 +9,8 @@ on: required: true type: string +permissions: {} + jobs: cypress-e2e: name: Cypress E2E diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index 84952ed..ee47c9b 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -1,4 +1,3 @@ -permissions: {} name: Analysis on: @@ -15,12 +14,16 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: # https://github.com/marketplace/actions/aqua-security-trivy trivy: name: Trivy Security Scan if: github.event_name != 'pull_request' || !github.event.pull_request.draft runs-on: ubuntu-24.04 + permissions: + security-events: write steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 862417e..881aa4a 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -1,4 +1,3 @@ -permissions: {} name: Merge to Main on: @@ -11,6 +10,8 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true +permissions: {} + jobs: semantic-version: outputs: @@ -19,6 +20,8 @@ jobs: clean_changelog: ${{ steps.changelog.outputs.clean_changelog }} runs-on: ubuntu-24.04 timeout-minutes: 1 + permissions: + contents: write steps: - uses: actions/checkout@v6 - name: Conventional Changelog Update @@ -35,6 +38,8 @@ jobs: retag-images: needs: [semantic-version] runs-on: ubuntu-24.04 + permissions: + packages: write strategy: matrix: package: [api, database, frontend] @@ -81,6 +86,8 @@ jobs: name: Create Release needs: [semantic-version, deploys-prod] runs-on: ubuntu-24.04 + permissions: + contents: write steps: - name: Create Release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml index 62b5b23..f4c40da 100644 --- a/.github/workflows/pr-close.yml +++ b/.github/workflows/pr-close.yml @@ -9,6 +9,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: cleanup: name: Cleanup and Image Promotion diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 88e9cff..4966175 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -1,4 +1,3 @@ -permissions: {} name: Pull Request on: @@ -10,6 +9,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: {} + jobs: pr-greeting: name: PR Greeting diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index 99506dc..57b890a 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -1,4 +1,3 @@ -permissions: {} name: Schedule Jobs on: @@ -14,6 +13,8 @@ concurrency: group: ${{ github.workflow }} cancel-in-progress: true +permissions: {} + jobs: pubcode-crawler: name: Crawl Git Repos for bcgovpubcode.yml @@ -60,6 +61,9 @@ jobs: validate-ministry-list: name: Validate Ministry List in the pubcode schema. runs-on: ubuntu-24.04 + permissions: + contents: write + pull-requests: write defaults: run: working-directory: schema/script From b63308ab4ca2410d3a2539b7fb77c8f8e20f0a6d Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 12:26:37 -0800 Subject: [PATCH 09/10] fix(github-123): add contents: read to jobs using actions/checkout --- .github/workflows/.deploy.yml | 2 ++ .github/workflows/.tests.yml | 2 ++ .github/workflows/analysis.yml | 1 + .github/workflows/merge.yml | 2 +- .github/workflows/pr-open.yml | 1 + .github/workflows/scheduled.yml | 4 ++++ 6 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/.deploy.yml b/.github/workflows/.deploy.yml index 7ed2b26..7e7f51e 100644 --- a/.github/workflows/.deploy.yml +++ b/.github/workflows/.deploy.yml @@ -57,6 +57,8 @@ jobs: name: Helm environment: ${{ inputs.environment }} runs-on: ubuntu-24.04 + permissions: + contents: read timeout-minutes: ${{ inputs.timeout-minutes }} steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/.tests.yml b/.github/workflows/.tests.yml index 0e42ff6..47a63da 100644 --- a/.github/workflows/.tests.yml +++ b/.github/workflows/.tests.yml @@ -15,6 +15,8 @@ jobs: cypress-e2e: name: Cypress E2E runs-on: ubuntu-24.04 + permissions: + contents: read strategy: matrix: browser: [chrome] diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml index ee47c9b..c6772ca 100644 --- a/.github/workflows/analysis.yml +++ b/.github/workflows/analysis.yml @@ -23,6 +23,7 @@ jobs: if: github.event_name != 'pull_request' || !github.event.pull_request.draft runs-on: ubuntu-24.04 permissions: + contents: read security-events: write steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 881aa4a..8ff0cf8 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -21,7 +21,7 @@ jobs: runs-on: ubuntu-24.04 timeout-minutes: 1 permissions: - contents: write + contents: write # write implies read; needed for git-push and checkout steps: - uses: actions/checkout@v6 - name: Conventional Changelog Update diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 4966175..63b3295 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -41,6 +41,7 @@ jobs: name: Builds runs-on: ubuntu-24.04 permissions: + contents: read attestations: write id-token: write packages: write diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml index 57b890a..adf2f60 100644 --- a/.github/workflows/scheduled.yml +++ b/.github/workflows/scheduled.yml @@ -19,6 +19,8 @@ jobs: pubcode-crawler: name: Crawl Git Repos for bcgovpubcode.yml runs-on: ubuntu-24.04 + permissions: + contents: read environment: prod defaults: run: @@ -106,6 +108,8 @@ jobs: soft-delete-removed-pubcodes: name: Soft Delete pubcodes In the Databse which are removed from the repo. runs-on: ubuntu-24.04 + permissions: + contents: read defaults: run: working-directory: utilities/remove-deleted-pubcode From 00b0fbe2a1ebe3193578f0b263d0f54a8abd9210 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Mon, 2 Mar 2026 12:37:23 -0800 Subject: [PATCH 10/10] fix(github-123): add contents: read to reusable workflow caller jobs --- .github/workflows/merge.yml | 6 ++++++ .github/workflows/pr-open.yml | 4 ++++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/merge.yml b/.github/workflows/merge.yml index 8ff0cf8..fd46c0f 100644 --- a/.github/workflows/merge.yml +++ b/.github/workflows/merge.yml @@ -56,6 +56,8 @@ jobs: deploys: name: TEST Deployments needs: [retag-images, semantic-version] + permissions: + contents: read uses: ./.github/workflows/.deploy.yml secrets: inherit with: @@ -67,6 +69,8 @@ jobs: tests: name: Tests needs: [deploys] + permissions: + contents: read uses: ./.github/workflows/.tests.yml with: target: test @@ -74,6 +78,8 @@ jobs: deploys-prod: name: PROD Deployments needs: [semantic-version, tests] + permissions: + contents: read uses: ./.github/workflows/.deploy.yml secrets: inherit with: diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml index 63b3295..95e2e3a 100644 --- a/.github/workflows/pr-open.yml +++ b/.github/workflows/pr-open.yml @@ -67,6 +67,8 @@ jobs: deploys: name: Deploys needs: [builds] + permissions: + contents: read uses: ./.github/workflows/.deploy.yml secrets: inherit with: @@ -93,6 +95,8 @@ jobs: tests: name: Tests needs: [deploys] + permissions: + contents: read uses: ./.github/workflows/.tests.yml with: target: ${{ github.event.number }}