fix: harden workflow permissions - set top-level permissions: {} and scope perms to jobs

Set `permissions: {}` at the top level of all workflow files to deny all permissions by default, then grant only the minimum required permissions at the job level. This fixes the Docker push failure caused by missing `packages: write` permission being scoped incorrectly. Changes per workflow: - build-testing-image.yml: add contents: read + packages: write to job - action-security.yml: consolidate contents: read, actions: read, pull-requests: read into the analyze job - codeql-new.yml: add actions: read to the analyze job - dependency-review.yml: add contents: read to the dependency-review job - issue-stats.yml: top-level only (no checkout, existing job perms sufficient) - new-release.yml: was read-all; job already has contents: write - pr-lint.yml: was contents: read + packages: read; job already has full perms - release.yml: job already has contents: write - security-suite.yml: move all perms to job level - stale.yml: top-level only (no checkout, existing job perms sufficient) - sync-labels.yml: was read-all; add contents: read to job for checkout - version-maintenance.yml: move all perms to job level Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
Initial plan
2026-03-05 23:55:09 +00:00 · 2026-03-05 21:22:44 +00:00 · 2026-03-05 21:18:15 +00:00
17 changed files with 37 additions and 40 deletions
--- a/.github/workflows/action-security.yml
+++ b/.github/workflows/action-security.yml
@@ -17,10 +17,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-  actions: read
-  pull-requests: read
+permissions: {}

 jobs:
  analyze:
@@ -29,6 +26,9 @@ jobs:
    timeout-minutes: 30

    permissions:
+      contents: read
+      actions: read
+      pull-requests: read
      security-events: write
      statuses: write
      issues: write
--- a/.github/workflows/build-testing-image.yml
+++ b/.github/workflows/build-testing-image.yml
@@ -23,15 +23,16 @@ on:
        default: 'latest'
        type: string

-permissions:
-  contents: read
-  packages: write
+permissions: {}

 jobs:
  build-and-push:
    name: Build and Push Testing Image
    runs-on: ubuntu-latest
    timeout-minutes: 20
+    permissions:
+      contents: read
+      packages: write

    steps:
      - name: Checkout repository
--- a/.github/workflows/codeql-new.yml
+++ b/.github/workflows/codeql-new.yml
@@ -13,17 +13,16 @@ on:
    - cron: '30 1 * * 0' # Run at 1:30 AM UTC every Sunday
  merge_group:

-permissions:
-  actions: read
-  contents: read
+permissions: {}

 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
    runs-on: ubuntu-latest
    permissions:
-      security-events: write
+      actions: read
      contents: read
+      security-events: write

    strategy:
      fail-fast: false
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -4,12 +4,13 @@ name: 'Dependency Review'
 on:
  - pull_request

-permissions:
-  contents: read
+permissions: {}

 jobs:
  dependency-review:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
    steps:
      - name: 'Checkout Repository'
        uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
--- a/.github/workflows/issue-stats.yml
+++ b/.github/workflows/issue-stats.yml
@@ -5,8 +5,7 @@ on:
  schedule:
    - cron: '3 2 1 * *'

-permissions:
-  contents: read
+permissions: {}

 jobs:
  build:
--- a/.github/workflows/new-release.yml
+++ b/.github/workflows/new-release.yml
@@ -6,7 +6,7 @@ on:
  schedule:
    - cron: '0 21 * * *' # 00:00 at Europe/Helsinki

-permissions: read-all
+permissions: {}

 jobs:
  new-daily-release:
--- a/.github/workflows/pr-lint.yml
+++ b/.github/workflows/pr-lint.yml
@@ -37,9 +37,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions:
-  contents: read
-  packages: read # Required for private dependencies
+permissions: {}

 jobs:
  megalinter:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,8 +7,7 @@ on:
    tags:
      - 'v*'

-permissions:
-  contents: read
+permissions: {}

 jobs:
  release:
--- a/.github/workflows/security-suite.yml
+++ b/.github/workflows/security-suite.yml
@@ -18,11 +18,7 @@ on:
      - '**/*.yaml'
      - '.github/workflows/**'

-permissions:
-  contents: read
-  pull-requests: write
-  issues: write
-  actions: read
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
@@ -32,6 +28,11 @@ jobs:
  security-analysis:
    name: Security Analysis
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      actions: read

    steps:
      - name: Checkout PR
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,10 +8,7 @@ on:
  workflow_call:
  workflow_dispatch:

-permissions:
-  contents: read
-  packages: read
-  statuses: read
+permissions: {}

 jobs:
  stale:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -22,7 +22,7 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions: {}

 jobs:
  labels:
@@ -31,6 +31,7 @@ jobs:
    timeout-minutes: 10

    permissions:
+      contents: read
      issues: write

    steps:
--- a/.github/workflows/version-maintenance.yml
+++ b/.github/workflows/version-maintenance.yml
@@ -12,15 +12,16 @@ on:
        required: false
        type: string

-permissions:
-  contents: write
-  pull-requests: write
-  issues: write
+permissions: {}

 jobs:
  check-and-update:
    name: Check Version References
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write

    steps:
      - name: Checkout Repository
--- a/biome-lint/action.yml
+++ b/biome-lint/action.yml
@@ -212,7 +212,7 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
      with:
        bun-version: latest

--- a/eslint-lint/action.yml
+++ b/eslint-lint/action.yml
@@ -319,7 +319,7 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
      with:
        bun-version: latest

--- a/npm-publish/action.yml
+++ b/npm-publish/action.yml
@@ -152,7 +152,7 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
      with:
        bun-version: latest

--- a/pr-lint/action.yml
+++ b/pr-lint/action.yml
@@ -156,7 +156,7 @@ runs:

    - name: Setup Bun
      if: steps.detect-node.outputs.found == 'true' && steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
      with:
        bun-version: latest

--- a/prettier-lint/action.yml
+++ b/prettier-lint/action.yml
@@ -305,7 +305,7 @@ runs:

    - name: Setup Bun
      if: steps.detect-pm.outputs.package-manager == 'bun'
-      uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
+      uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2.1.2
      with:
        bun-version: latest