ci: restrict workflow permissions

semgr8ns · Feb 5, 2024 · 3749294 · 3749294
1 parent 0961391
commit 3749294
Show file tree

Hide file tree

Showing 14 changed files with 168 additions and 110 deletions.
diff --git a/.github/workflows/.reusable-build.yml b/.github/workflows/.reusable-build.yml
@@ -1,6 +1,6 @@
 name: build
 
-#permissions: {}  #TODO: reactivate for non-private
+permissions: {}
 
 on:
   workflow_call:
@@ -51,7 +51,7 @@ jobs:
   context:
     runs-on: ubuntu-latest
     if: inputs.skip != 'all'
-    #    permissions: {}  #TODO: reactivate for non-private
+    permissions: {}
     outputs:
       chart_version: ${{ steps.get_context.outputs.chart_version }}
       original_registry: ${{ steps.get_context.outputs.original_registry }}
@@ -77,8 +77,8 @@ jobs:
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
     needs: [context]
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: write
+    permissions:
+      packages: write
     outputs:
       cosign_public_key: ${{ steps.build.outputs.cosign_public_key }}
     steps:

diff --git a/.github/workflows/.reusable-ci.yml b/.github/workflows/.reusable-ci.yml
@@ -1,6 +1,6 @@
 name: ci
 
-#permissions: {}  #TODO: reactivate for non-private
+permissions: {}
 
 on:
   workflow_call:
@@ -96,29 +96,29 @@ jobs:
   build:
     uses: ./.github/workflows/.reusable-build.yml
     needs: [conditionals]
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: write
+    permissions:
+      packages: write
     secrets: inherit
     with:
       skip: ${{ needs.conditionals.outputs.skip_build }}
 
   compliance:
     uses: ./.github/workflows/.reusable-compliance.yml
     needs: [conditionals]
-    #    permissions:  #TODO: reactivate for non-private
-    #      contents: write
-    #      id-token: write
-    #      security-events: write
-    #      actions: read
-    #      checks: read
-    #      deployments: read
-    #      issues: read
-    #      discussions: read
-    #      packages: read
-    #      pages: read
-    #      pull-requests: read
-    #      repository-projects: read
-    #      statuses: read
+    permissions:
+      actions: read
+      checks: read
+      contents: write
+      deployments: read
+      discussions: read
+      id-token: write
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      security-events: write
+      statuses: read
     secrets: inherit
     with:
       skip: ${{ needs.conditionals.outputs.skip_compliance_checks }}
@@ -132,20 +132,20 @@ jobs:
   sast:
     uses: ./.github/workflows/.reusable-sast.yml
     needs: [conditionals]
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
-    #      pull-requests: read
+    permissions:
+      pull-requests: read
+      security-events: write
     with:
       skip: ${{ needs.conditionals.outputs.skip_sast }}
       output: ${{ needs.conditionals.outputs.output_type }}
 
   sca:
     uses: ./.github/workflows/.reusable-sca.yml
     needs: [conditionals, build]
-    #    permissions:  #TODO: reactivate for non-private
-    #      contents: write
-    #      security-events: write
-    #      packages: read
+    permissions:
+      contents: write
+      packages: read
+      security-events: write
     secrets: inherit
     with:
       registry: ${{ needs.build.outputs.build_registry }}
@@ -157,16 +157,16 @@ jobs:
   docs:
     uses: ./.github/workflows/.reusable-docs.yml
     needs: [conditionals]
-    #    permissions:  #TODO: reactivate for non-private
-    #      contents: write
+    permissions:
+      contents: write
     with:
       skip: ${{ needs.conditionals.outputs.skip_docs }}
 
   integration-test:
     uses: ./.github/workflows/.reusable-integration-test.yml
     needs: [conditionals, build]
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
+    permissions:
+      packages: read
     secrets: inherit
     with:
       build_registry: ${{ needs.build.outputs.build_registry }}

diff --git a/.github/workflows/.reusable-compliance.yml b/.github/workflows/.reusable-compliance.yml
@@ -1,5 +1,7 @@
 name: compliance
 
+permissions: read-all
+
 on:
   workflow_call:
     inputs:
@@ -8,18 +10,15 @@ on:
         type: string
         default: "none"
 
-#permissions: read-all
-
 jobs:
   ossf-scorecard:
     runs-on: ubuntu-latest
     if: |
       (github.ref_name == 'main' || github.event_name == 'pull_request') &&
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
-    #      id-token: write
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -44,9 +43,8 @@ jobs:
       github.event_name == 'pull_request' &&
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      contents: write
-    #      pull-requests: write
+    permissions:
+      contents: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -60,7 +58,7 @@ jobs:
     if: |
       github.event_name == 'pull_request' &&
       inputs.skip != 'all'
-    #    permissions: {}  #TODO: reactivate for non-private
+    permissions: {}
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/.reusable-docs.yml b/.github/workflows/.reusable-docs.yml
@@ -1,6 +1,6 @@
 name: docs
 
-#permissions: {}  #TODO: reactivate for non-private
+permissions: {}
 
 on:
   workflow_call:

diff --git a/.github/workflows/.reusable-integration-test.yml b/.github/workflows/.reusable-integration-test.yml
@@ -1,6 +1,6 @@
 name: integration-test
 
-#permissions: {}  #TODO: reactivate for non-private
+permissions: {}
 
 on:
   workflow_call:
@@ -33,8 +33,8 @@ jobs:
     name: functional
     runs-on: ubuntu-latest
     if: inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
+    permissions:
+      packages: read
     env:
       IMAGE: ${{ inputs.build_image_repository }}
       TAG: ${{ inputs.build_tag }}
@@ -86,8 +86,8 @@ jobs:
     if: |
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
+    permissions:
+      packages: read
     env:
       IMAGE: ${{ inputs.build_image_repository }}
       TAG: ${{ inputs.build_tag }}
@@ -137,8 +137,8 @@ jobs:
     name: k8s versions
     runs-on: ubuntu-latest
     if: inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
+    permissions:
+      packages: read
     env:
       IMAGE: ${{ inputs.build_image_repository }}
       TAG: ${{ inputs.build_tag }}
@@ -189,8 +189,8 @@ jobs:
     if: |
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
+    permissions:
+      packages: read
     env:
       IMAGE: ${{ inputs.build_image_repository }}
       TAG: ${{ inputs.build_tag }}

diff --git a/.github/workflows/.reusable-sast.yml b/.github/workflows/.reusable-sast.yml
@@ -1,5 +1,7 @@
 name: sast
 
+permissions: {}
+
 on:
   workflow_call:
     inputs:
@@ -13,8 +15,6 @@ on:
         required: false
         default: 'sarif'
 
-#permissions: {}  #TODO: reactivate for non-private
-
 jobs:
   bandit:
     runs-on: ubuntu-latest
@@ -61,8 +61,8 @@ jobs:
       (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -117,8 +117,8 @@ jobs:
       (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -149,8 +149,8 @@ jobs:
       (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -198,8 +198,8 @@ jobs:
       (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
+    permissions:
+      security-events: write
     container:
       image: returntocorp/semgrep
     steps:
@@ -224,8 +224,8 @@ jobs:
       (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
+    permissions:
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

diff --git a/.github/workflows/.reusable-sca.yml b/.github/workflows/.reusable-sca.yml
@@ -1,6 +1,6 @@
 name: sca
 
-#permissions: {}  #TODO: reactivate for non-private
+permissions: {}
 
 on:
   workflow_call:
@@ -34,9 +34,9 @@ jobs:
     name: trivy image
     runs-on: ubuntu-latest
     if: inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
-    #      security-events: write
+    permissions:
+      packages: read
+      security-events: write
     container:
       image: docker:stable
     steps:
@@ -57,9 +57,9 @@ jobs:
     if: |
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
-    #      security-events: write
+    permissions:
+      packages: read
+      security-events: write
     container:
       image: docker:stable
     steps:
@@ -81,9 +81,9 @@ jobs:
     if: |
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      packages: read
-    #      contents: write
+    permissions:
+      packages: read
+      contents: write
     steps:
       - name: Login with registry
         if: inputs.registry != ''

diff --git a/.github/workflows/.reusable-unit-test.yml b/.github/workflows/.reusable-unit-test.yml
@@ -1,6 +1,6 @@
 name: unit-test
 
-#permissions: {}  #TODO: reactivate for non-private
+permissions: {}
 
 on:
   workflow_call: