chore(ci): enforce top-level permission to minimum fail-safe permissi…

…on as per openssf (#2638)
aws-powertools · Jul 4, 2023 · cdd28fe · cdd28fe
1 parent b2e43b3
commit cdd28fe
Show file tree

Hide file tree

Showing 20 changed files with 79 additions and 0 deletions.
diff --git a/.github/workflows/build_changelog.yml b/.github/workflows/build_changelog.yml
@@ -17,6 +17,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   changelog:
     permissions:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -17,6 +17,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, 
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/label_pr_on_title.yml b/.github/workflows/label_pr_on_title.yml
@@ -26,6 +26,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:

diff --git a/.github/workflows/on_closed_issues.yml b/.github/workflows/on_closed_issues.yml
@@ -12,6 +12,9 @@ name: Closed Issue Message
 on:
   issues:
       types: [closed]
+permissions:
+  contents: read
+
 jobs:
   auto_comment:
       runs-on: ubuntu-latest

diff --git a/.github/workflows/on_label_added.yml b/.github/workflows/on_label_added.yml
@@ -25,6 +25,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:

diff --git a/.github/workflows/on_merged_pr.yml b/.github/workflows/on_merged_pr.yml
@@ -26,6 +26,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:

diff --git a/.github/workflows/on_opened_pr.yml b/.github/workflows/on_opened_pr.yml
@@ -26,6 +26,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   get_pr_details:
     permissions:

diff --git a/.github/workflows/on_push_docs.yml b/.github/workflows/on_push_docs.yml
@@ -20,6 +20,9 @@ on:
       - "examples/**"
       - "CHANGELOG.md"
 
+permissions:
+  contents: read
+
 jobs:
   release-docs:
     permissions:

diff --git a/.github/workflows/publish_v2_layer.yml b/.github/workflows/publish_v2_layer.yml
@@ -49,6 +49,9 @@ on:
         type: boolean
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   build-layer:
     permissions:

diff --git a/.github/workflows/quality_check.yml b/.github/workflows/quality_check.yml
@@ -35,6 +35,9 @@ on:
     branches:
       - develop
 
+permissions:
+  contents: read
+
 jobs:
   quality_check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/rebuild_latest_docs.yml b/.github/workflows/rebuild_latest_docs.yml
@@ -23,6 +23,9 @@ on:
         default: "2.16.3"
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   release-docs:
     permissions:

diff --git a/.github/workflows/record_pr.yml b/.github/workflows/record_pr.yml
@@ -37,6 +37,9 @@ on:
   pull_request:
     types: [opened, edited, closed, labeled]
 
+permissions:
+  contents: read
+
 jobs:
   record_pr:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -18,6 +18,9 @@ on:
       - develop
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -51,6 +51,9 @@ on:
         type: boolean
         required: false
 
+permissions:
+  contents: read
+
 jobs:
 
   # This job bumps the package version to the release version

diff --git a/.github/workflows/reusable_deploy_v2_layer_stack.yml b/.github/workflows/reusable_deploy_v2_layer_stack.yml
@@ -47,6 +47,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   deploy-cdk-stack:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reusable_export_pr_details.yml b/.github/workflows/reusable_export_pr_details.yml
@@ -50,6 +50,9 @@ on:
         description: "Whether PR is merged"
         value: ${{ jobs.export_pr_details.outputs.prIsMerged }}
 
+permissions:
+  contents: read
+
 jobs:
   export_pr_details:
     permissions:

diff --git a/.github/workflows/reusable_publish_changelog.yml b/.github/workflows/reusable_publish_changelog.yml
@@ -10,6 +10,9 @@ env:
   PULL_REQUEST_TITLE: "chore(ci): changelog rebuild"
   FILES_TO_COMMIT: "CHANGELOG.md"
 
+permissions:
+  contents: read
+
 jobs:
   publish_changelog:
     # Force Github action to run only a single job at a time (based on the group name)

diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml
@@ -35,6 +35,9 @@ env:
 
 concurrency: e2e
 
+permissions:
+  contents: read
+
 jobs:
   run:
     runs-on: aws-powertools_ubuntu-latest_8-core

diff --git a/.github/workflows/secure_workflows.yml b/.github/workflows/secure_workflows.yml
@@ -19,6 +19,9 @@ on:
     paths:
       - ".github/workflows/**"
 
+permissions:
+  contents: read
+
 jobs:
   enforce_pinned_workflows:
     name: Harden Security