ci: Move elevated permissions to run level

yiannistri · yiannistri · commit 7044ad7b4770 · 2023-09-19T08:17:56.000+01:00
diff --git a/.github/workflows/blocked-reminder.yaml b/.github/workflows/blocked-reminder.yaml
@@ -6,6 +6,9 @@ on:
     # others on Fri.
     - cron: '0 15 * * 1,4'
 
+permissions:
+  issues: read # for actions/github-script to query issues
+
 jobs:
   issue-list:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/build-and-publish.yaml b/.github/workflows/build-and-publish.yaml
@@ -6,15 +6,17 @@ on:
       - main
 
 permissions:
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - name: Checkout
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -8,6 +8,9 @@ on:
       - '.github/workflows/docs.yaml'
       - 'mkdocs.yml'
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/helm-release.yaml b/.github/workflows/helm-release.yaml
@@ -3,16 +3,18 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
-      - name: Publish Helm chart
+      - name: Publish Helm chart in GitHub Pages
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/ossf.yaml b/.github/workflows/ossf.yaml
@@ -15,10 +15,8 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed if using Code scanning alerts
-      security-events: write
-      # Needed for GitHub OIDC token if publish_results is true
-      id-token: write
+      security-events: write # needed if using Code scanning alerts
+      id-token: write # needed for GitHub OIDC token if publish_results is true
 
     steps:
       - name: "Checkout code"
diff --git a/.github/workflows/release-runners.yaml b/.github/workflows/release-runners.yaml
@@ -13,9 +13,7 @@ on:
         required: true
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 env:
   VERSION: ${{ github.event.inputs.version }}
@@ -24,6 +22,10 @@ env:
 jobs:
   release-base:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - name: Check out
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -64,6 +66,10 @@ jobs:
   release-mpl:
     needs: release-base
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     strategy:
       matrix:
         tf_version: [1.0.11, 1.1.9, 1.2.9, 1.3.9, 1.4.6, 1.5.5]
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,16 +11,18 @@ on:
         required: true
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
 jobs:
   build-push:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - name: Check out
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -9,7 +9,6 @@ on:
 
 permissions:
   contents: read # for actions/checkout to fetch code
-  security-events: write # for codeQL to write security events
 
 jobs:
   fossa:
@@ -27,6 +26,8 @@ jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for codeQL to write security events
     steps:
       - name: Checkout repository
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
diff --git a/.github/workflows/targeted-test.yaml b/.github/workflows/targeted-test.yaml
@@ -4,6 +4,10 @@ on:
       pattern:
         required: true
         type: string
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   targeted-test:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   test-1x-2x:
     name: "Controller Tests: 10->29"
