Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: restrict workflow permissions #36

Merged
merged 1 commit into from
Feb 5, 2024
Merged

ci: restrict workflow permissions #36

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions .github/workflows/.reusable-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: build

#permissions: {} #TODO: reactivate for non-private
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -51,7 +51,7 @@ jobs:
context:
runs-on: ubuntu-latest
if: inputs.skip != 'all'
# permissions: {} #TODO: reactivate for non-private
permissions: {}
outputs:
chart_version: ${{ steps.get_context.outputs.chart_version }}
original_registry: ${{ steps.get_context.outputs.original_registry }}
Expand All @@ -77,8 +77,8 @@ jobs:
inputs.skip != 'non-required' &&
inputs.skip != 'all'
needs: [context]
# permissions: #TODO: reactivate for non-private
# packages: write
permissions:
packages: write
outputs:
cosign_public_key: ${{ steps.build.outputs.cosign_public_key }}
steps:
Expand Down
56 changes: 28 additions & 28 deletions .github/workflows/.reusable-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: ci

#permissions: {} #TODO: reactivate for non-private
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -96,29 +96,29 @@ jobs:
build:
uses: ./.github/workflows/.reusable-build.yml
needs: [conditionals]
# permissions: #TODO: reactivate for non-private
# packages: write
permissions:
packages: write
secrets: inherit
with:
skip: ${{ needs.conditionals.outputs.skip_build }}

compliance:
uses: ./.github/workflows/.reusable-compliance.yml
needs: [conditionals]
# permissions: #TODO: reactivate for non-private
# contents: write
# id-token: write
# security-events: write
# actions: read
# checks: read
# deployments: read
# issues: read
# discussions: read
# packages: read
# pages: read
# pull-requests: read
# repository-projects: read
# statuses: read
permissions:
actions: read
checks: read
contents: write
deployments: read
discussions: read
id-token: write
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: write
statuses: read
secrets: inherit
with:
skip: ${{ needs.conditionals.outputs.skip_compliance_checks }}
Expand All @@ -132,20 +132,20 @@ jobs:
sast:
uses: ./.github/workflows/.reusable-sast.yml
needs: [conditionals]
# permissions: #TODO: reactivate for non-private
# security-events: write
# pull-requests: read
permissions:
pull-requests: read
security-events: write
with:
skip: ${{ needs.conditionals.outputs.skip_sast }}
output: ${{ needs.conditionals.outputs.output_type }}

sca:
uses: ./.github/workflows/.reusable-sca.yml
needs: [conditionals, build]
# permissions: #TODO: reactivate for non-private
# contents: write
# security-events: write
# packages: read
permissions:
contents: write
packages: read
security-events: write
secrets: inherit
with:
registry: ${{ needs.build.outputs.build_registry }}
Expand All @@ -157,16 +157,16 @@ jobs:
docs:
uses: ./.github/workflows/.reusable-docs.yml
needs: [conditionals]
# permissions: #TODO: reactivate for non-private
# contents: write
permissions:
contents: write
with:
skip: ${{ needs.conditionals.outputs.skip_docs }}

integration-test:
uses: ./.github/workflows/.reusable-integration-test.yml
needs: [conditionals, build]
# permissions: #TODO: reactivate for non-private
# packages: read
permissions:
packages: read
secrets: inherit
with:
build_registry: ${{ needs.build.outputs.build_registry }}
Expand Down
16 changes: 7 additions & 9 deletions .github/workflows/.reusable-compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: compliance

permissions: read-all

on:
workflow_call:
inputs:
Expand All @@ -8,18 +10,15 @@ on:
type: string
default: "none"

#permissions: read-all

jobs:
ossf-scorecard:
runs-on: ubuntu-latest
if: |
(github.ref_name == 'main' || github.event_name == 'pull_request') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
# id-token: write
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand All @@ -44,9 +43,8 @@ jobs:
github.event_name == 'pull_request' &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# contents: write
# pull-requests: write
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand All @@ -60,7 +58,7 @@ jobs:
if: |
github.event_name == 'pull_request' &&
inputs.skip != 'all'
# permissions: {} #TODO: reactivate for non-private
permissions: {}
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/.reusable-docs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: docs

#permissions: {} #TODO: reactivate for non-private
permissions: {}

on:
workflow_call:
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/.reusable-integration-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: integration-test

#permissions: {} #TODO: reactivate for non-private
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -33,8 +33,8 @@ jobs:
name: functional
runs-on: ubuntu-latest
if: inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# packages: read
permissions:
packages: read
env:
IMAGE: ${{ inputs.build_image_repository }}
TAG: ${{ inputs.build_tag }}
Expand Down Expand Up @@ -86,8 +86,8 @@ jobs:
if: |
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# packages: read
permissions:
packages: read
env:
IMAGE: ${{ inputs.build_image_repository }}
TAG: ${{ inputs.build_tag }}
Expand Down Expand Up @@ -137,8 +137,8 @@ jobs:
name: k8s versions
runs-on: ubuntu-latest
if: inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# packages: read
permissions:
packages: read
env:
IMAGE: ${{ inputs.build_image_repository }}
TAG: ${{ inputs.build_tag }}
Expand Down Expand Up @@ -189,8 +189,8 @@ jobs:
if: |
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# packages: read
permissions:
packages: read
env:
IMAGE: ${{ inputs.build_image_repository }}
TAG: ${{ inputs.build_tag }}
Expand Down
24 changes: 12 additions & 12 deletions .github/workflows/.reusable-sast.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
name: sast

permissions: {}

on:
workflow_call:
inputs:
Expand All @@ -13,8 +15,6 @@ on:
required: false
default: 'sarif'

#permissions: {} #TODO: reactivate for non-private

jobs:
bandit:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -61,8 +61,8 @@ jobs:
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -117,8 +117,8 @@ jobs:
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -149,8 +149,8 @@ jobs:
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -198,8 +198,8 @@ jobs:
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
permissions:
security-events: write
container:
image: returntocorp/semgrep
steps:
Expand All @@ -224,8 +224,8 @@ jobs:
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/.reusable-sca.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: sca

#permissions: {} #TODO: reactivate for non-private
permissions: {}

on:
workflow_call:
Expand Down Expand Up @@ -34,9 +34,9 @@ jobs:
name: trivy image
runs-on: ubuntu-latest
if: inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# packages: read
# security-events: write
permissions:
packages: read
security-events: write
container:
image: docker:stable
steps:
Expand All @@ -57,9 +57,9 @@ jobs:
if: |
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# packages: read
# security-events: write
permissions:
packages: read
security-events: write
container:
image: docker:stable
steps:
Expand All @@ -81,9 +81,9 @@ jobs:
if: |
inputs.skip != 'non-required' &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# packages: read
# contents: write
permissions:
packages: read
contents: write
steps:
- name: Login with registry
if: inputs.registry != ''
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/.reusable-unit-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: unit-test

#permissions: {} #TODO: reactivate for non-private
permissions: {}

on:
workflow_call:
Expand Down
Loading
Loading