Set permissions for GitHub token in workflows

Author: ArBridgeman

.github/workflows/build-and-publish.yml

@@ -2,6 +2,8 @@ name: Build & Publish
 
 on:
   workflow_call:
+    permissions:
+      contents: write
     secrets:
       PYPI_TOKEN:
           required: true

.github/workflows/cd.yml

@@ -10,15 +10,23 @@ jobs:
   check-tag-version-job:
     name: Check Release Tag
     uses: ./.github/workflows/check-release-tag.yml
+    permissions:
+      contents: read
 
   cd-job:
     name: Continuous Delivery
     uses: ./.github/workflows/build-and-publish.yml
+    permissions:
+      contents: write
     secrets:
       PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
   publish-docs:
     needs: [ cd-job ]
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 

.github/workflows/check-release-tag.yml

@@ -1,6 +1,9 @@
 name: Check Release Tag
 
-on: workflow_call
+on:
+  workflow_call:
+    permissions:
+      contents: read
 
 jobs:
 

.github/workflows/checks.yml

@@ -2,6 +2,8 @@ name: Checks
 
 on:
   workflow_call:
+    permissions:
+      contents: read
 
 jobs:
 

.github/workflows/ci.yml

@@ -16,7 +16,11 @@ jobs:
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
+    permissions:
+      contents: read
 
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read

.github/workflows/gh-pages.yml

@@ -2,6 +2,10 @@ name: Publish Documentation
 
 on:
   workflow_call:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
   workflow_dispatch:
 
 jobs:

.github/workflows/matrix-all.yml

@@ -2,6 +2,8 @@ name: Build Matrix (All Versions)
 
 on:
   workflow_call:
+    permissions:
+      contents: read
     outputs:
       matrix:
         description: "Generates the all versions build matrix"

.github/workflows/matrix-exasol.yml

@@ -2,6 +2,8 @@ name: Build Matrix (Exasol)
 
 on:
   workflow_call:
+    permissions:
+      contents: read
     outputs:
       matrix:
         description: "Generates the exasol version build matrix"

.github/workflows/matrix-python.yml

@@ -2,10 +2,12 @@ name: Build Matrix (Python)
 
 on:
   workflow_call:
+    permissions:
+      contents: read
     outputs:
       matrix:
-        description: "Generates the python version build matrix"
-        value: ${{ jobs.python_versions.outputs.matrix }}
+      description: "Generates the python version build matrix"
+      value: ${{ jobs.python_versions.outputs.matrix }}
 
 jobs:
   python_versions:

.github/workflows/merge-gate.yml

@@ -2,16 +2,22 @@ name: Merge-Gate
 
 on:
   workflow_call:
+    permissions:
+      contents: read
 
 jobs:
 
   fast-checks:
     name: Fast
     uses: ./.github/workflows/checks.yml
+    permissions:
+      contents: read
 
   slow-checks:
     name: Slow
     uses: ./.github/workflows/slow-checks.yml
+    permissions:
+      contents: read
 
   # This job ensures inputs have been executed successfully.
   approve-merge:

.github/workflows/pr-merge.yml

@@ -11,11 +11,19 @@ jobs:
   ci-job:
     name: Checks
     uses: ./.github/workflows/checks.yml
+    permissions:
+      contents: read
 
   publish-docs:
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 
   metrics:
     needs: [ ci-job ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read

.github/workflows/report.yml

@@ -2,6 +2,8 @@ name: Status Report
 
 on:
   workflow_call:
+   permissions:
+      contents: read
 
 jobs:
 

.github/workflows/slow-checks.yml

@@ -2,6 +2,8 @@ name: Slow-Checks
 
 on:
   workflow_call:
+   permissions:
+      contents: read
 
 jobs:
 

doc/changes/unreleased.md

@@ -13,10 +13,16 @@ This should also create a 'github-pages' environment, if it does not yet exist.
 For most repos using the PTB, the updating of the github pages only happens when a
 PR is merged to main, so please check post-merge that it worked as expected.
 
+With #422, we have hardened the security in our GitHub workflows by explicitly
+setting permissions to the default GitHub token. In a few repos who greatly differ
+from the default PTB setup, this might lead to small issues which require the allowed
+permissions to be increased for specific jobs.
+
 ## ⚒️ Refactorings
 
 * [#412](https://github.com/exasol/python-toolbox/issues/392):  Refactored pre commit hook package version.py into nox task
 
 ## Security
 
-* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages
+* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages
+* [#422](https://github.com/exasol/python-toolbox/issues/422): Set permissions within the GitHub workflows to restrict usage of the default GitHub token

exasol/toolbox/templates/github/workflows/build-and-publish.yml

@@ -2,6 +2,8 @@ name: Build & Publish
 
 on:
   workflow_call:
+    permissions:
+      contents: write
     secrets:
       PYPI_TOKEN:
           required: true

exasol/toolbox/templates/github/workflows/cd.yml

@@ -10,15 +10,23 @@ jobs:
   check-tag-version-job:
     name: Check Release Tag
     uses: ./.github/workflows/check-release-tag.yml
+    permissions:
+      contents: read
 
   cd-job:
     name: Continuous Delivery
     uses: ./.github/workflows/build-and-publish.yml
+    permissions:
+      contents: write
     secrets:
       PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
 
   publish-docs:
     needs: [ cd-job ]
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 

exasol/toolbox/templates/github/workflows/check-release-tag.yml

@@ -1,6 +1,9 @@
 name: Check Release Tag
 
-on: workflow_call
+on:
+  workflow_call:
+    permissions:
+      contents: read
 
 jobs:
 

exasol/toolbox/templates/github/workflows/checks.yml

@@ -2,6 +2,8 @@ name: Checks
 
 on:
   workflow_call:
+    permissions:
+      contents: read
 
 jobs:
 

exasol/toolbox/templates/github/workflows/ci.yml

@@ -16,7 +16,11 @@ jobs:
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
+    permissions:
+      contents: read
 
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read

exasol/toolbox/templates/github/workflows/gh-pages.yml

@@ -2,6 +2,10 @@ name: Publish Documentation
 
 on:
   workflow_call:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
   workflow_dispatch:
 
 jobs:

exasol/toolbox/templates/github/workflows/matrix-all.yml

@@ -2,6 +2,8 @@ name: Build Matrix (All Versions)
 
 on:
   workflow_call:
+    permissions:
+      contents: read
     outputs:
       matrix:
         description: "Generates the all versions build matrix"

exasol/toolbox/templates/github/workflows/matrix-exasol.yml

@@ -2,6 +2,8 @@ name: Build Matrix (Exasol)
 
 on:
   workflow_call:
+    permissions:
+      contents: read
     outputs:
       matrix:
         description: "Generates the exasol version build matrix"

exasol/toolbox/templates/github/workflows/matrix-python.yml

@@ -2,6 +2,8 @@ name: Build Matrix (Python)
 
 on:
   workflow_call:
+    permissions:
+      contents: read
     outputs:
       matrix:
         description: "Generates the python version build matrix"

exasol/toolbox/templates/github/workflows/merge-gate.yml

@@ -2,16 +2,22 @@ name: Merge-Gate
 
 on:
   workflow_call:
+    permissions:
+      contents: read
 
 jobs:
 
   fast-checks:
     name: Fast
     uses: ./.github/workflows/checks.yml
+    permissions:
+      contents: read
 
   slow-checks:
     name: Slow
     uses: ./.github/workflows/slow-checks.yml
+    permissions:
+      contents: read
 
   # This job ensures inputs have been executed successfully.
   approve-merge:

exasol/toolbox/templates/github/workflows/pr-merge.yml

@@ -14,12 +14,19 @@ jobs:
   ci-job:
     name: Checks
     uses: ./.github/workflows/checks.yml
-    secrets: inherit
+    permissions:
+      contents: read
 
   publish-docs:
     name: Publish Documentation
     uses: ./.github/workflows/gh-pages.yml
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
 
   metrics:
     needs: [ ci-job ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read

exasol/toolbox/templates/github/workflows/report.yml

@@ -2,6 +2,8 @@ name: Status Report
 
 on:
   workflow_call:
+   permissions:
+      contents: read
 
 jobs:
 

exasol/toolbox/templates/github/workflows/slow-checks.yml

@@ -2,6 +2,8 @@ name: Slow-Checks
 
 on:
   workflow_call:
+   permissions:
+      contents: read
 
 jobs: