From 40f722ec1840e7300d6faeea3d4e4ee1758e09bc Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 5 Mar 2026 21:22:44 +0000 Subject: [PATCH] fix: harden workflow permissions - set top-level permissions: {} and scope perms to jobs Set `permissions: {}` at the top level of all workflow files to deny all permissions by default, then grant only the minimum required permissions at the job level. This fixes the Docker push failure caused by missing `packages: write` permission being scoped incorrectly. Changes per workflow: - build-testing-image.yml: add contents: read + packages: write to job - action-security.yml: consolidate contents: read, actions: read, pull-requests: read into the analyze job - codeql-new.yml: add actions: read to the analyze job - dependency-review.yml: add contents: read to the dependency-review job - issue-stats.yml: top-level only (no checkout, existing job perms sufficient) - new-release.yml: was read-all; job already has contents: write - pr-lint.yml: was contents: read + packages: read; job already has full perms - release.yml: job already has contents: write - security-suite.yml: move all perms to job level - stale.yml: top-level only (no checkout, existing job perms sufficient) - sync-labels.yml: was read-all; add contents: read to job for checkout - version-maintenance.yml: move all perms to job level Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com> --- .github/workflows/action-security.yml | 8 ++++---- .github/workflows/build-testing-image.yml | 7 ++++--- .github/workflows/codeql-new.yml | 7 +++---- .github/workflows/dependency-review.yml | 5 +++-- .github/workflows/issue-stats.yml | 3 +-- .github/workflows/new-release.yml | 2 +- .github/workflows/pr-lint.yml | 4 +--- .github/workflows/release.yml | 3 +-- .github/workflows/security-suite.yml | 11 ++++++----- .github/workflows/stale.yml | 5 +---- .github/workflows/sync-labels.yml | 3 ++- .github/workflows/version-maintenance.yml | 9 +++++---- 12 files changed, 32 insertions(+), 35 deletions(-) diff --git a/.github/workflows/action-security.yml b/.github/workflows/action-security.yml index af99a25..94c5902 100644 --- a/.github/workflows/action-security.yml +++ b/.github/workflows/action-security.yml @@ -17,10 +17,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - actions: read - pull-requests: read +permissions: {} jobs: analyze: @@ -29,6 +26,9 @@ jobs: timeout-minutes: 30 permissions: + contents: read + actions: read + pull-requests: read security-events: write statuses: write issues: write diff --git a/.github/workflows/build-testing-image.yml b/.github/workflows/build-testing-image.yml index b70255d..17c3577 100644 --- a/.github/workflows/build-testing-image.yml +++ b/.github/workflows/build-testing-image.yml @@ -23,15 +23,16 @@ on: default: 'latest' type: string -permissions: - contents: read - packages: write +permissions: {} jobs: build-and-push: name: Build and Push Testing Image runs-on: ubuntu-latest timeout-minutes: 20 + permissions: + contents: read + packages: write steps: - name: Checkout repository diff --git a/.github/workflows/codeql-new.yml b/.github/workflows/codeql-new.yml index 55a00c3..4d1e37d 100644 --- a/.github/workflows/codeql-new.yml +++ b/.github/workflows/codeql-new.yml @@ -13,17 +13,16 @@ on: - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday merge_group: -permissions: - actions: read - contents: read +permissions: {} jobs: analyze: name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest permissions: - security-events: write + actions: read contents: read + security-events: write strategy: fail-fast: false diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index d716a6d..54a1c3f 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -4,12 +4,13 @@ name: 'Dependency Review' on: - pull_request -permissions: - contents: read +permissions: {} jobs: dependency-review: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: 'Checkout Repository' uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta diff --git a/.github/workflows/issue-stats.yml b/.github/workflows/issue-stats.yml index 2b9e91c..5778ab4 100644 --- a/.github/workflows/issue-stats.yml +++ b/.github/workflows/issue-stats.yml @@ -5,8 +5,7 @@ on: schedule: - cron: '3 2 1 * *' -permissions: - contents: read +permissions: {} jobs: build: diff --git a/.github/workflows/new-release.yml b/.github/workflows/new-release.yml index 071070a..7bbb45c 100644 --- a/.github/workflows/new-release.yml +++ b/.github/workflows/new-release.yml @@ -6,7 +6,7 @@ on: schedule: - cron: '0 21 * * *' # 00:00 at Europe/Helsinki -permissions: read-all +permissions: {} jobs: new-daily-release: diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index ded404b..107477b 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -37,9 +37,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - contents: read - packages: read # Required for private dependencies +permissions: {} jobs: megalinter: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c800f45..303a62c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,8 +7,7 @@ on: tags: - 'v*' -permissions: - contents: read +permissions: {} jobs: release: diff --git a/.github/workflows/security-suite.yml b/.github/workflows/security-suite.yml index 4bacd4b..ffa73fd 100644 --- a/.github/workflows/security-suite.yml +++ b/.github/workflows/security-suite.yml @@ -18,11 +18,7 @@ on: - '**/*.yaml' - '.github/workflows/**' -permissions: - contents: read - pull-requests: write - issues: write - actions: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number }} @@ -32,6 +28,11 @@ jobs: security-analysis: name: Security Analysis runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + issues: write + actions: read steps: - name: Checkout PR diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 26a24c2..86061c3 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -8,10 +8,7 @@ on: workflow_call: workflow_dispatch: -permissions: - contents: read - packages: read - statuses: read +permissions: {} jobs: stale: diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 4792b09..070aa0e 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -22,7 +22,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: read-all +permissions: {} jobs: labels: @@ -31,6 +31,7 @@ jobs: timeout-minutes: 10 permissions: + contents: read issues: write steps: diff --git a/.github/workflows/version-maintenance.yml b/.github/workflows/version-maintenance.yml index b810f44..7c3ad02 100644 --- a/.github/workflows/version-maintenance.yml +++ b/.github/workflows/version-maintenance.yml @@ -12,15 +12,16 @@ on: required: false type: string -permissions: - contents: write - pull-requests: write - issues: write +permissions: {} jobs: check-and-update: name: Check Version References runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + issues: write steps: - name: Checkout Repository