ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-07 12:56:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden workflow permissions - set top-level permissions: {} and scope perms to jobs

Browse Source 
Set `permissions: {}` at the top level of all workflow files to deny all
permissions by default, then grant only the minimum required permissions at
the job level. This fixes the Docker push failure caused by missing
`packages: write` permission being scoped incorrectly.

Changes per workflow:
- build-testing-image.yml: add contents: read + packages: write to job
- action-security.yml: consolidate contents: read, actions: read,
  pull-requests: read into the analyze job
- codeql-new.yml: add actions: read to the analyze job
- dependency-review.yml: add contents: read to the dependency-review job
- issue-stats.yml: top-level only (no checkout, existing job perms sufficient)
- new-release.yml: was read-all; job already has contents: write
- pr-lint.yml: was contents: read + packages: read; job already has full perms
- release.yml: job already has contents: write
- security-suite.yml: move all perms to job level
- stale.yml: top-level only (no checkout, existing job perms sufficient)
- sync-labels.yml: was read-all; add contents: read to job for checkout
- version-maintenance.yml: move all perms to job level

Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-03-05 21:22:44 +00:00
parent 763cbbb0be
commit 40f722ec18
12 changed files with 32 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/action-security.yml vendored
View File

@@ -17,10 +17,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
actions: read
pull-requests: read
jobs: jobs:
analyze: analyze:
@@ -29,6 +26,9 @@ jobs:
timeout-minutes: 30 timeout-minutes: 30
permissions: permissions:
contents: read
actions: read
pull-requests: read
security-events: write security-events: write
statuses: write statuses: write
issues: write issues: write

7
.github/workflows/build-testing-image.yml vendored
View File

@@ -23,15 +23,16 @@ on:
default: 'latest' default: 'latest'
type: string type: string
permissions: permissions: {}
contents: read
packages: write
jobs: jobs:
build-and-push: build-and-push:
name: Build and Push Testing Image name: Build and Push Testing Image
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 20 timeout-minutes: 20
permissions:
contents: read
packages: write
steps: steps:
- name: Checkout repository - name: Checkout repository

7
.github/workflows/codeql-new.yml vendored
View File

@@ -13,17 +13,16 @@ on:
- cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
merge_group: merge_group:
permissions: permissions: {}
actions: read
contents: read
jobs: jobs:
analyze: analyze:
name: Analyze (${{ matrix.language }}) name: Analyze (${{ matrix.language }})
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
security-events: write actions: read
contents: read contents: read
security-events: write
strategy: strategy:
fail-fast: false fail-fast: false

5
.github/workflows/dependency-review.yml vendored
View File

@@ -4,12 +4,13 @@ name: 'Dependency Review'
on: on:
- pull_request - pull_request
permissions: permissions: {}
contents: read
jobs: jobs:
dependency-review: dependency-review:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: 'Checkout Repository' - name: 'Checkout Repository'
uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta

3
.github/workflows/issue-stats.yml vendored
View File

@@ -5,8 +5,7 @@ on:
schedule: schedule:
- cron: '3 2 1 * *' - cron: '3 2 1 * *'
permissions: permissions: {}
contents: read
jobs: jobs:
build: build:

2
.github/workflows/new-release.yml vendored
View File

@@ -6,7 +6,7 @@ on:
schedule: schedule:
- cron: '0 21 * * *' # 00:00 at Europe/Helsinki - cron: '0 21 * * *' # 00:00 at Europe/Helsinki
permissions: read-all permissions: {}
jobs: jobs:
new-daily-release: new-daily-release:

4
.github/workflows/pr-lint.yml vendored
View File

@@ -37,9 +37,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
packages: read # Required for private dependencies
jobs: jobs:
megalinter: megalinter:

3
.github/workflows/release.yml vendored
View File

@@ -7,8 +7,7 @@ on:
tags: tags:
- 'v*' - 'v*'
permissions: permissions: {}
contents: read
jobs: jobs:
release: release:

11
.github/workflows/security-suite.yml vendored
View File

@@ -18,11 +18,7 @@ on:
- '**/*.yaml' - '**/*.yaml'
- '.github/workflows/**' - '.github/workflows/**'
permissions: permissions: {}
contents: read
pull-requests: write
issues: write
actions: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number }} group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
security-analysis: security-analysis:
name: Security Analysis name: Security Analysis
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
issues: write
actions: read
steps: steps:
- name: Checkout PR - name: Checkout PR

5
.github/workflows/stale.yml vendored
View File

@@ -8,10 +8,7 @@ on:
workflow_call: workflow_call:
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
packages: read
statuses: read
jobs: jobs:
stale: stale:

3
.github/workflows/sync-labels.yml vendored
View File

@@ -22,7 +22,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: read-all permissions: {}
jobs: jobs:
labels: labels:
@@ -31,6 +31,7 @@ jobs:
timeout-minutes: 10 timeout-minutes: 10
permissions: permissions:
contents: read
issues: write issues: write
steps: steps:

9
.github/workflows/version-maintenance.yml vendored
View File

@@ -12,15 +12,16 @@ on:
required: false required: false
type: string type: string
permissions: permissions: {}
contents: write
pull-requests: write
issues: write
jobs: jobs:
check-and-update: check-and-update:
name: Check Version References name: Check Version References
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
issues: write
steps: steps:
- name: Checkout Repository - name: Checkout Repository