Security/422 restrict GitHub token in workflows (#423)

* Add information to unreleased and user doc for upcoming changes which require manual effort during the migration

* Set permissions for GitHub token in workflows

Author: ArBridgeman

.github/workflows/build-and-publish.yml

@@ -11,8 +11,9 @@ jobs:
   cd-job:
     name: Continuous Delivery
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
-
       - name: SCM Checkout
         uses: actions/checkout@v4
 

.github/workflows/cd.yml

@@ -10,15 +10,23 @@ jobs:
   check-tag-version-job:
     name: Check Release Tag
     uses: ./.github/workflows/check-release-tag.yml
+    permissions:
+      contents: read
 
   cd-job:
     name: Continuous Delivery
     uses: ./.github/workflows/build-and-publish.yml
+    permissions:
+      contents: write
     secrets:
       PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
   publish-docs:
     needs: [ cd-job ]
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 

.github/workflows/check-release-tag.yml

@@ -1,14 +1,15 @@
 name: Check Release Tag
 
-on: workflow_call
+on:
+  workflow_call:
 
 jobs:
 
   check-tag-version-job:
-
     name: Check Tag Version
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4

.github/workflows/checks.yml

@@ -8,7 +8,8 @@ jobs:
   Version-Check:
     name: Version
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
@@ -25,7 +26,8 @@ jobs:
     name: Docs
     needs: [ Version-Check ]
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
@@ -40,8 +42,9 @@ jobs:
   Changelog:
     name: Changelog Update Check
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' }}
-
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
@@ -55,11 +58,15 @@ jobs:
   build-matrix:
     name: Generate Build Matrix
     uses: ./.github/workflows/matrix-python.yml
+    permissions:
+      contents: read
 
   Lint:
     name: Linting (Python-${{ matrix.python-version }})
     needs: [ Version-Check, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
@@ -89,6 +96,8 @@ jobs:
     name: Type Checking (Python-${{ matrix.python-version }})
     needs: [ Version-Check, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
@@ -109,10 +118,11 @@ jobs:
     name: Security Checks (Python-${{ matrix.python-version }})
     needs: [ Version-Check, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
-
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
@@ -135,7 +145,8 @@ jobs:
   Format:
     name: Format Check
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4
@@ -150,6 +161,8 @@ jobs:
     name: Unit-Tests (Python-${{ matrix.python-version }})
     needs: [ Documentation, Lint, Type-Check, Security, Format, build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:

.github/workflows/ci.yml

@@ -16,7 +16,11 @@ jobs:
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
+    permissions:
+      contents: read
 
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read

.github/workflows/matrix-all.yml

@@ -9,9 +9,9 @@ on:
 
 jobs:
   all_versions:
-
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4

.github/workflows/matrix-exasol.yml

@@ -9,9 +9,9 @@ on:
 
 jobs:
   exasol_versions:
-
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4

.github/workflows/matrix-python.yml

@@ -9,9 +9,9 @@ on:
 
 jobs:
   python_versions:
-
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
-
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4

.github/workflows/merge-gate.yml

@@ -8,15 +8,21 @@ jobs:
   fast-checks:
     name: Fast
     uses: ./.github/workflows/checks.yml
+    permissions:
+      contents: read
 
   slow-checks:
     name: Slow
     uses: ./.github/workflows/slow-checks.yml
+    permissions:
+      contents: read
 
   # This job ensures inputs have been executed successfully.
   approve-merge:
     name: Allow Merge
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     # If you need additional jobs to be part of the merge gate, add them below
     needs: [ fast-checks, slow-checks ]
 

.github/workflows/pr-merge.yml

@@ -11,11 +11,19 @@ jobs:
   ci-job:
     name: Checks
     uses: ./.github/workflows/checks.yml
+    permissions:
+      contents: read
 
   publish-docs:
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 
   metrics:
     needs: [ ci-job ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read

.github/workflows/report.yml

@@ -7,6 +7,8 @@ jobs:
 
   Report:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/slow-checks.yml

@@ -8,11 +8,15 @@ jobs:
   build-matrix:
     name: Generate Build Matrix
     uses: ./.github/workflows/matrix-all.yml
+    permissions:
+      contents: read
 
   Tests:
     name: Integration-Tests (Python-${{ matrix.python-version }}, Exasol-${{ matrix.exasol-version}})
     needs: [ build-matrix ]
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     # Even though the environment "manual-approval" will be created automatically,
     # it still needs to be configured to require interactive review.
     # See project settings on GitHub (Settings / Environments / manual-approval).

doc/changes/unreleased.md

@@ -1,9 +1,28 @@
 # Unreleased
 
+## Summary
+
+With #420, any GitHub repos using the PTB for **documentation** will also need to 
+reconfigure the GitHub Pages settings for each repo:
+1. Go to the affected repo's GitHub page
+2. Select 'Settings'
+3. Scroll down & select 'Pages'
+4. Within the 'Build and deployment' section, change 'Source' to 'GitHub Actions'.
+
+This should also create a 'github-pages' environment, if it does not yet exist.
+For most repos using the PTB, the updating of the github pages only happens when a
+PR is merged to main, so please check post-merge that it worked as expected.
+
+With #422, we have hardened the security in our GitHub workflows by explicitly
+setting permissions to the default GitHub token. In a few repos who greatly differ
+from the default PTB setup, this might lead to small issues which require the allowed
+permissions to be increased for specific jobs.
+
 ## ⚒️ Refactorings
 
 * [#412](https://github.com/exasol/python-toolbox/issues/392):  Refactored pre commit hook package version.py into nox task
 
 ## Security
 
-* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages
+* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages
+* [#422](https://github.com/exasol/python-toolbox/issues/422): Set permissions within the GitHub workflows to restrict usage of the default GitHub token

doc/user_guide/getting_started.rst

@@ -179,7 +179,17 @@ forward, and you just can use the example *noxfile.py* below.
 
 .. _toolbox tasks:
 
-7. Go 🥜
+7. Setup for deploying documentation (optional)
++++++++++++++++++++++++++++++++++++++++++++++++
+Within the `gh-pages.yml`, we use the GitHub `upload-pages-artifact` and `deploy-pages`
+actions. In order to properly deploy your pages, you'll need to reconfigure the GitHub
+Pages settings for the repo:
+1. Go to the affected repo's GitHub page
+2. Select 'Settings'
+3. Scroll down & select 'Pages'
+4. Within the 'Build and deployment' section, change 'Source' to 'GitHub Actions'.
+
+8. Go 🥜
 +++++++++++++
 You are ready to use the toolbox. With *nox -l* you can list all available tasks.
 

exasol/toolbox/templates/github/workflows/build-and-publish.yml

@@ -11,8 +11,9 @@ jobs:
   cd-job:
     name: Continuous Delivery
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
     steps:
-
       - name: SCM Checkout
         uses: actions/checkout@v4
 

exasol/toolbox/templates/github/workflows/cd.yml

@@ -10,15 +10,23 @@ jobs:
   check-tag-version-job:
     name: Check Release Tag
     uses: ./.github/workflows/check-release-tag.yml
+    permissions:
+      contents: read
 
   cd-job:
     name: Continuous Delivery
     uses: ./.github/workflows/build-and-publish.yml
+    permissions:
+      contents: write
     secrets:
       PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
   publish-docs:
     needs: [ cd-job ]
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 

exasol/toolbox/templates/github/workflows/check-release-tag.yml

@@ -1,14 +1,15 @@
 name: Check Release Tag
 
-on: workflow_call
+on:
+  workflow_call:
 
 jobs:
 
   check-tag-version-job:
-
     name: Check Tag Version
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - name: SCM Checkout
         uses: actions/checkout@v4