Minimize GHA permissions

Set the GitHub Actions token permission to null in most workflows. This results in: GITHUB_TOKEN Permissions Metadata: read The default permissions, used without the null override, are either GITHUB_TOKEN Permissions Actions: write Checks: write Contents: write Deployments: write Discussions: write Issues: write Metadata: read Packages: write Pages: write PullRequests: write RepositoryProjects: write SecurityEvents: write Statuses: write or GITHUB_TOKEN Permissions Actions: read Checks: read Contents: read Deployments: read Discussions: read Issues: read Metadata: read Packages: read Pages: read PullRequests: read RepositoryProjects: read SecurityEvents: read Statuses: read Jobs triggered by PRs get read permissions, other jobs get write. Two jobs require non-null permissions to function. The Anchore vulnerability scan GHA that reports results on merges needs security-events write permission to publish SARIF reports using github/codeql-action/upload-sarif. Fails with HTTP 403 otherwise. The dependent issues GHA needs PR/issues write permissions to add/remove `dependent` labels. It needs status write permission to block/unblock PRs when dependencies are missing/met. Fails with HttpError otherwise. Signed-off-by: Daniel Farrell <[email protected]>
submariner-io · Aug 25, 2022 · 9c0f1ae · 9c0f1ae
1 parent 72d91fd
commit 9c0f1ae
Show file tree

Hide file tree

Showing 17 changed files with 39 additions and 0 deletions.
diff --git a/.github/workflows/branch.yml b/.github/workflows/branch.yml
@@ -4,6 +4,8 @@ name: Branch Checks
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   target_branch:
     name: PR targets branch

diff --git a/.github/workflows/codeowners.yml b/.github/workflows/codeowners.yml
@@ -7,6 +7,8 @@ on:
       - 'CODEOWNERS'
       - 'CODEOWNERS.in'
 
+permissions: {}
+
 jobs:
   updated:
     name: Up-to-date

diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml
@@ -19,6 +19,11 @@ on:
   schedule:
     - cron: '0 0/6 * * *'  # every 6 hours
 
+permissions:
+  issues: write
+  pull-requests: write
+  statuses: write
+
 jobs:
   check:
     name: Check Dependencies

diff --git a/.github/workflows/e2e-all-k8s.yml b/.github/workflows/e2e-all-k8s.yml
@@ -7,6 +7,8 @@ on:
   schedule:
     - cron: "0 0 * * 6"
 
+permissions: {}
+
 jobs:
   e2e:
     name: E2E All K8s

diff --git a/.github/workflows/e2e-full.yml b/.github/workflows/e2e-full.yml
@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [labeled, opened, synchronize, reopened]
 
+permissions: {}
+
 jobs:
   e2e:
     name: E2E

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [ready_for_review, opened, reopened, synchronize, converted_to_draft, labeled]
 
+permissions: {}
+
 jobs:
   e2e:
     name: E2E

diff --git a/.github/workflows/flake_finder.yml b/.github/workflows/flake_finder.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: "0 0,1 * * *"
 
+permissions: {}
+
 jobs:
   e2e:
     name: E2E

diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -4,6 +4,8 @@ name: Linting
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   apply-suggestions-commits:
     name: 'No "Apply suggestions from code review" Commits'

diff --git a/.github/workflows/multiarch.yml b/.github/workflows/multiarch.yml
@@ -4,6 +4,8 @@ name: Multi-arch Builds
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   check-multiarch:
     name: Check the multi-arch builds

diff --git a/.github/workflows/periodic.yml b/.github/workflows/periodic.yml
@@ -5,6 +5,8 @@ on:
   schedule:
     - cron: "0 0 * * 0"
 
+permissions: {}
+
 jobs:
   markdown-link-check-periodic:
     name: Markdown Links (all files)

diff --git a/.github/workflows/prometheus.yml b/.github/workflows/prometheus.yml
@@ -5,6 +5,8 @@ on:
   pull_request:
     types: [labeled, opened, synchronize, reopened]
 
+permissions: {}
+
 jobs:
   check:
     name: Metrics Exported

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,8 @@ on:
       - devel
       - release-*
 
+permissions: {}
+
 jobs:
   release:
     name: Release Images

diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -7,11 +7,15 @@ on:
       - devel
       - release-*
 
+permissions: {}
+
 jobs:
   vulnerability-scan:
     name: Vulnerability Scanning
     if: github.repository_owner == 'submariner-io'
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Check out the repository
         uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

diff --git a/.github/workflows/subctl-unit.yml b/.github/workflows/subctl-unit.yml
@@ -4,6 +4,8 @@ name: Consuming Projects
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   unit-testing:
     name: Check subctl

diff --git a/.github/workflows/system.yml b/.github/workflows/system.yml
@@ -4,6 +4,8 @@ name: System Tests
 on:
   pull_request:
 
+permissions: {}
+
 jobs:
   system-test:
     name: Deployment

diff --git a/.github/workflows/unit.yml b/.github/workflows/unit.yml
@@ -7,6 +7,8 @@ on:
     tags:
       - 'v**'
 
+permissions: {}
+
 jobs:
   unit-testing:
     name: Go Unit Tests

diff --git a/.github/workflows/upgrade-e2e.yml b/.github/workflows/upgrade-e2e.yml
@@ -6,6 +6,8 @@ on:
     types: [ready_for_review, opened, reopened, synchronize, converted_to_draft, labeled]
     branches: [devel]
 
+permissions: {}
+
 jobs:
   upgrade-e2e:
     name: Latest Release to Latest Version
-Original file line number
+Diff line change
@@ Expand Up / @@ -7,6 +7,8 @@ on: @@
         tags:
           - 'v**'
+    permissions: {}
     jobs:
       unit-testing:
         name: Go Unit Tests
@@ Expand Down @@