Skip to content

Commit 6a9e851

Browse files
ArBridgemanArBridgeman
authored
Security/422 restrict GitHub token in workflows (#423)
* Add information to unreleased and user doc for upcoming changes which require manual effort during the migration * Set permissions for GitHub token in workflows
1 parent 29d6fb5 commit 6a9e851

26 files changed

+156
-35
lines changed

.github/workflows/build-and-publish.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,9 @@ jobs:
1111
cd-job:
1212
name: Continuous Delivery
1313
runs-on: ubuntu-24.04
14+
permissions:
15+
contents: write
1416
steps:
15-
1617
- name: SCM Checkout
1718
uses: actions/checkout@v4
1819

.github/workflows/cd.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,15 +10,23 @@ jobs:
1010
check-tag-version-job:
1111
name: Check Release Tag
1212
uses: ./.github/workflows/check-release-tag.yml
13+
permissions:
14+
contents: read
1315

1416
cd-job:
1517
name: Continuous Delivery
1618
uses: ./.github/workflows/build-and-publish.yml
19+
permissions:
20+
contents: write
1721
secrets:
1822
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
1923

2024
publish-docs:
2125
needs: [ cd-job ]
2226
name: Publish Documentation
2327
uses: ./.github/workflows/gh-pages.yml
28+
permissions:
29+
contents: read
30+
pages: write
31+
id-token: write
2432

.github/workflows/check-release-tag.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,15 @@
11
name: Check Release Tag
22

3-
on: workflow_call
3+
on:
4+
workflow_call:
45

56
jobs:
67

78
check-tag-version-job:
8-
99
name: Check Tag Version
1010
runs-on: ubuntu-24.04
11-
11+
permissions:
12+
contents: read
1213
steps:
1314
- name: SCM Checkout
1415
uses: actions/checkout@v4

.github/workflows/checks.yml

Lines changed: 18 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,8 @@ jobs:
88
Version-Check:
99
name: Version
1010
runs-on: ubuntu-24.04
11-
11+
permissions:
12+
contents: read
1213
steps:
1314
- name: SCM Checkout
1415
uses: actions/checkout@v4
@@ -25,7 +26,8 @@ jobs:
2526
name: Docs
2627
needs: [ Version-Check ]
2728
runs-on: ubuntu-24.04
28-
29+
permissions:
30+
contents: read
2931
steps:
3032
- name: SCM Checkout
3133
uses: actions/checkout@v4
@@ -40,8 +42,9 @@ jobs:
4042
Changelog:
4143
name: Changelog Update Check
4244
runs-on: ubuntu-24.04
45+
permissions:
46+
contents: read
4347
if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' }}
44-
4548
steps:
4649
- name: SCM Checkout
4750
uses: actions/checkout@v4
@@ -55,11 +58,15 @@ jobs:
5558
build-matrix:
5659
name: Generate Build Matrix
5760
uses: ./.github/workflows/matrix-python.yml
61+
permissions:
62+
contents: read
5863

5964
Lint:
6065
name: Linting (Python-${{ matrix.python-version }})
6166
needs: [ Version-Check, build-matrix ]
6267
runs-on: ubuntu-24.04
68+
permissions:
69+
contents: read
6370
strategy:
6471
fail-fast: false
6572
matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
@@ -89,6 +96,8 @@ jobs:
8996
name: Type Checking (Python-${{ matrix.python-version }})
9097
needs: [ Version-Check, build-matrix ]
9198
runs-on: ubuntu-24.04
99+
permissions:
100+
contents: read
92101
strategy:
93102
fail-fast: false
94103
matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
@@ -109,10 +118,11 @@ jobs:
109118
name: Security Checks (Python-${{ matrix.python-version }})
110119
needs: [ Version-Check, build-matrix ]
111120
runs-on: ubuntu-24.04
121+
permissions:
122+
contents: read
112123
strategy:
113124
fail-fast: false
114125
matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }}
115-
116126
steps:
117127
- name: SCM Checkout
118128
uses: actions/checkout@v4
@@ -135,7 +145,8 @@ jobs:
135145
Format:
136146
name: Format Check
137147
runs-on: ubuntu-24.04
138-
148+
permissions:
149+
contents: read
139150
steps:
140151
- name: SCM Checkout
141152
uses: actions/checkout@v4
@@ -150,6 +161,8 @@ jobs:
150161
name: Unit-Tests (Python-${{ matrix.python-version }})
151162
needs: [ Documentation, Lint, Type-Check, Security, Format, build-matrix ]
152163
runs-on: ubuntu-24.04
164+
permissions:
165+
contents: read
153166
env:
154167
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
155168
strategy:

.github/workflows/ci.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,11 @@ jobs:
1616
CI:
1717
uses: ./.github/workflows/merge-gate.yml
1818
secrets: inherit
19+
permissions:
20+
contents: read
1921

2022
Metrics:
2123
needs: [ CI ]
2224
uses: ./.github/workflows/report.yml
25+
permissions:
26+
contents: read

.github/workflows/matrix-all.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ on:
99

1010
jobs:
1111
all_versions:
12-
1312
runs-on: ubuntu-24.04
14-
13+
permissions:
14+
contents: read
1515
steps:
1616
- name: SCM Checkout
1717
uses: actions/checkout@v4

.github/workflows/matrix-exasol.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ on:
99

1010
jobs:
1111
exasol_versions:
12-
1312
runs-on: ubuntu-24.04
14-
13+
permissions:
14+
contents: read
1515
steps:
1616
- name: SCM Checkout
1717
uses: actions/checkout@v4

.github/workflows/matrix-python.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,9 +9,9 @@ on:
99

1010
jobs:
1111
python_versions:
12-
12+
permissions:
13+
contents: read
1314
runs-on: ubuntu-24.04
14-
1515
steps:
1616
- name: SCM Checkout
1717
uses: actions/checkout@v4

.github/workflows/merge-gate.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,15 +8,21 @@ jobs:
88
fast-checks:
99
name: Fast
1010
uses: ./.github/workflows/checks.yml
11+
permissions:
12+
contents: read
1113

1214
slow-checks:
1315
name: Slow
1416
uses: ./.github/workflows/slow-checks.yml
17+
permissions:
18+
contents: read
1519

1620
# This job ensures inputs have been executed successfully.
1721
approve-merge:
1822
name: Allow Merge
1923
runs-on: ubuntu-24.04
24+
permissions:
25+
contents: read
2026
# If you need additional jobs to be part of the merge gate, add them below
2127
needs: [ fast-checks, slow-checks ]
2228

.github/workflows/pr-merge.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,19 @@ jobs:
1111
ci-job:
1212
name: Checks
1313
uses: ./.github/workflows/checks.yml
14+
permissions:
15+
contents: read
1416

1517
publish-docs:
1618
name: Publish Documentation
1719
uses: ./.github/workflows/gh-pages.yml
20+
permissions:
21+
contents: read
22+
pages: write
23+
id-token: write
1824

1925
metrics:
2026
needs: [ ci-job ]
2127
uses: ./.github/workflows/report.yml
28+
permissions:
29+
contents: read

0 commit comments

Comments
 (0)