From 2992f13432785c3f00eba21a5796186c97841ad0 Mon Sep 17 00:00:00 2001 From: per1234 Date: Sun, 25 Jun 2023 18:56:07 -0700 Subject: [PATCH] Configure permissions of GITHUB_TOKEN in workflows `GITHUB_TOKEN` is an access token that is automatically generated and made accessible for use in GitHub Actions workflow runs. The global default permissions of this token for workflow runs in a trusted context (i.e., not triggered by a `pull_request` event from a fork) are set in the GiHub enterprise/organization/repository's administrative settings, giving it either read-only or write permissions in all scopes. In the case of a read-only default configuration, any workflow operations that require write permissions would fail with an error like: > 403: Resource not accessible by integration In the case of a write default configuration, workflows have unnecessary permissions, which violates the security principle of least privilege. For this reason, GitHub Actions now allows fine grained control at a per-workflow or per-workflow job scope of the permissions provided to the token. This is done using the `permissions` workflow key, which is used here to configure the workflows for only the permissions require by each individual job. I chose to always configure permissions at the job level even though in some cases the same permissions configuration could be used for all jobs in a workflow. Even if functionally equivalent, I think it is semantically more appropriate to always set the permissions at the job scope since the intention is to make the most granular possible permissions configuration. Hopefully this approach will increase the likelihood that appropriate permissions configurations will be made in any additional jobs that are added to the workflows in the future. The automatic permissions downgrade from write to read for workflow runs in an untrusted context (e.g., triggered by a `pull_request` event from a fork) is unaffected by this change. Even when all permissions are withheld (`permissions: {}`), the token still provides the authenticated API request rate limiting allowance (authenticating API requests to avoid rate limiting is a one of the uses of the token in these workflows). Read permissions are required in the "contents" scope in order to checkout private repositories. Even though those permissions are not required when the workflows are installed in public repositories, the templates are intended to be applicable in public and private repositories both and so a small excess in permissions was chosen instead of the alternative of having to maintain separate variants of each workflow for use in public or private repos. --- .github/workflows/check-ci-sync.yml | 1 + .github/workflows/check-clang-format.yml | 5 +++++ .github/workflows/check-community-health-sync.yml | 1 + .github/workflows/check-config-sync.yml | 1 + .github/workflows/check-dependabot.yml | 1 + .github/workflows/check-eslint.yml | 1 + .github/workflows/check-files-task.yml | 5 +++++ .github/workflows/check-general-formatting-task.yml | 3 +++ .github/workflows/check-issue-templates.yml | 1 + .github/workflows/check-javascript-task.yml | 6 +++--- .github/workflows/check-labels.yml | 1 + .github/workflows/check-license.yml | 3 +++ .github/workflows/check-markdown-task.yml | 5 +++++ .github/workflows/check-markdownlint.yml | 1 + .github/workflows/check-npm-task.yml | 8 +++++--- .github/workflows/check-prettier-formatting-task.yml | 3 +++ .github/workflows/check-python-task.yml | 5 +++++ .github/workflows/check-shell-task.yml | 7 +++++++ .github/workflows/check-taskfiles.yml | 3 +++ .github/workflows/check-workflows-task.yml | 2 ++ .github/workflows/check-yaml-task.yml | 3 +++ .github/workflows/spell-check-task.yml | 3 +++ .github/workflows/sync-labels-npm.yml | 6 ++++++ .github/workflows/test-install-script.yml | 6 ++++++ .github/workflows/test-python-poetry-task.yml | 3 +++ workflow-templates/check-action-metadata-task.yml | 3 +++ workflow-templates/check-certificates.yml | 2 ++ workflow-templates/check-files-task.yml | 5 +++++ workflow-templates/check-general-formatting-task.yml | 3 +++ workflow-templates/check-go-dependencies-task.yml | 5 +++++ workflow-templates/check-go-task.yml | 11 +++++++++++ workflow-templates/check-javascript-task.yml | 6 +++--- workflow-templates/check-license.yml | 3 +++ workflow-templates/check-markdown-task.yml | 5 +++++ workflow-templates/check-mkdocs-task.yml | 3 +++ workflow-templates/check-npm-dependencies-task.yml | 5 +++++ workflow-templates/check-npm-task.yml | 8 +++++--- workflow-templates/check-prettier-formatting-task.yml | 3 +++ workflow-templates/check-python-task.yml | 5 +++++ workflow-templates/check-shell-task.yml | 7 +++++++ workflow-templates/check-taskfiles.yml | 3 +++ workflow-templates/check-toc-task.yml | 3 +++ workflow-templates/check-workflows-task.yml | 2 ++ workflow-templates/check-yaml-task.yml | 3 +++ .../deploy-cobra-mkdocs-versioned-poetry.yml | 3 +++ workflow-templates/deploy-mkdocs-poetry.yml | 2 ++ workflow-templates/deploy-mkdocs-versioned-poetry.yml | 3 +++ workflow-templates/publish-go-nightly-task.yml | 7 +++++++ workflow-templates/publish-go-tester-task.yml | 6 ++++++ workflow-templates/release-go-crosscompile-task.yml | 6 ++++++ workflow-templates/release-go-task.yml | 6 ++++++ workflow-templates/release-tag.yml | 2 ++ workflow-templates/spell-check-task.yml | 3 +++ workflow-templates/sync-labels-npm.yml | 6 ++++++ workflow-templates/sync-labels.yml | 6 ++++++ workflow-templates/test-go-integration-task.yml | 3 +++ workflow-templates/test-go-task.yml | 3 +++ workflow-templates/test-python-poetry-task.yml | 3 +++ 58 files changed, 216 insertions(+), 12 deletions(-) diff --git a/.github/workflows/check-ci-sync.yml b/.github/workflows/check-ci-sync.yml index eaf6510f..3960b084 100644 --- a/.github/workflows/check-ci-sync.yml +++ b/.github/workflows/check-ci-sync.yml @@ -27,6 +27,7 @@ on: jobs: check-sync: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-clang-format.yml b/.github/workflows/check-clang-format.yml index c51d2738..9caabe16 100644 --- a/.github/workflows/check-clang-format.yml +++ b/.github/workflows/check-clang-format.yml @@ -39,6 +39,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -60,6 +61,7 @@ jobs: check-config: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -136,6 +138,7 @@ jobs: check-output: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -195,6 +198,7 @@ jobs: check-testdata: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -211,6 +215,7 @@ jobs: convert: runs-on: ubuntu-latest + permissions: {} steps: - name: Set environment variables diff --git a/.github/workflows/check-community-health-sync.yml b/.github/workflows/check-community-health-sync.yml index 9285c258..226fd4e0 100644 --- a/.github/workflows/check-community-health-sync.yml +++ b/.github/workflows/check-community-health-sync.yml @@ -33,6 +33,7 @@ on: jobs: check-sync: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-config-sync.yml b/.github/workflows/check-config-sync.yml index 23d7a5cd..b1aa0a54 100644 --- a/.github/workflows/check-config-sync.yml +++ b/.github/workflows/check-config-sync.yml @@ -19,6 +19,7 @@ on: jobs: check-sync: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-dependabot.yml b/.github/workflows/check-dependabot.yml index 0f712e9f..a570170b 100644 --- a/.github/workflows/check-dependabot.yml +++ b/.github/workflows/check-dependabot.yml @@ -21,6 +21,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-eslint.yml b/.github/workflows/check-eslint.yml index 14054e2a..eba413ea 100644 --- a/.github/workflows/check-eslint.yml +++ b/.github/workflows/check-eslint.yml @@ -29,6 +29,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-files-task.yml b/.github/workflows/check-files-task.yml index bb5690ed..fe81ab4e 100644 --- a/.github/workflows/check-files-task.yml +++ b/.github/workflows/check-files-task.yml @@ -17,6 +17,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -58,6 +61,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-general-formatting-task.yml b/.github/workflows/check-general-formatting-task.yml index 7a19a414..ab7a1da0 100644 --- a/.github/workflows/check-general-formatting-task.yml +++ b/.github/workflows/check-general-formatting-task.yml @@ -15,6 +15,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables diff --git a/.github/workflows/check-issue-templates.yml b/.github/workflows/check-issue-templates.yml index 8c4b4382..6caa111e 100644 --- a/.github/workflows/check-issue-templates.yml +++ b/.github/workflows/check-issue-templates.yml @@ -21,6 +21,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-javascript-task.yml b/.github/workflows/check-javascript-task.yml index 0eb67590..3a673c89 100644 --- a/.github/workflows/check-javascript-task.yml +++ b/.github/workflows/check-javascript-task.yml @@ -29,12 +29,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -60,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-labels.yml b/.github/workflows/check-labels.yml index b754ed6a..f3776b05 100644 --- a/.github/workflows/check-labels.yml +++ b/.github/workflows/check-labels.yml @@ -23,6 +23,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-license.yml b/.github/workflows/check-license.yml index 7b12f08c..c2b3cbd2 100644 --- a/.github/workflows/check-license.yml +++ b/.github/workflows/check-license.yml @@ -38,6 +38,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -61,6 +62,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-markdown-task.yml b/.github/workflows/check-markdown-task.yml index a2001a8e..bacc784c 100644 --- a/.github/workflows/check-markdown-task.yml +++ b/.github/workflows/check-markdown-task.yml @@ -41,6 +41,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -66,6 +67,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -92,6 +95,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-markdownlint.yml b/.github/workflows/check-markdownlint.yml index 17e1ccac..d58849e2 100644 --- a/.github/workflows/check-markdownlint.yml +++ b/.github/workflows/check-markdownlint.yml @@ -21,6 +21,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-npm-task.yml b/.github/workflows/check-npm-task.yml index ba79f745..d20b591e 100644 --- a/.github/workflows/check-npm-task.yml +++ b/.github/workflows/check-npm-task.yml @@ -26,12 +26,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +55,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -80,6 +80,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-prettier-formatting-task.yml b/.github/workflows/check-prettier-formatting-task.yml index d999002f..0c664774 100644 --- a/.github/workflows/check-prettier-formatting-task.yml +++ b/.github/workflows/check-prettier-formatting-task.yml @@ -209,6 +209,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -234,6 +235,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-python-task.yml b/.github/workflows/check-python-task.yml index e3e3addb..d19d4fcf 100644 --- a/.github/workflows/check-python-task.yml +++ b/.github/workflows/check-python-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -91,6 +94,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-shell-task.yml b/.github/workflows/check-shell-task.yml index 0ff939ff..7d92e555 100644 --- a/.github/workflows/check-shell-task.yml +++ b/.github/workflows/check-shell-task.yml @@ -27,6 +27,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -53,6 +54,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read env: # See: https://github.com/koalaman/shellcheck/releases/latest @@ -121,6 +124,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables @@ -166,6 +171,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-taskfiles.yml b/.github/workflows/check-taskfiles.yml index 67ce8e69..e42d6500 100644 --- a/.github/workflows/check-taskfiles.yml +++ b/.github/workflows/check-taskfiles.yml @@ -29,6 +29,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -55,6 +56,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/.github/workflows/check-workflows-task.yml b/.github/workflows/check-workflows-task.yml index b996df5a..68617336 100644 --- a/.github/workflows/check-workflows-task.yml +++ b/.github/workflows/check-workflows-task.yml @@ -26,6 +26,8 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-yaml-task.yml b/.github/workflows/check-yaml-task.yml index 8234b9a6..90a2c860 100644 --- a/.github/workflows/check-yaml-task.yml +++ b/.github/workflows/check-yaml-task.yml @@ -49,6 +49,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -75,6 +76,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/.github/workflows/spell-check-task.yml b/.github/workflows/spell-check-task.yml index c570c01a..770dd1fa 100644 --- a/.github/workflows/spell-check-task.yml +++ b/.github/workflows/spell-check-task.yml @@ -19,6 +19,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -44,6 +45,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/sync-labels-npm.yml b/.github/workflows/sync-labels-npm.yml index 79cef012..4ce3b5cc 100644 --- a/.github/workflows/sync-labels-npm.yml +++ b/.github/workflows/sync-labels-npm.yml @@ -30,6 +30,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -65,6 +67,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -91,6 +94,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables diff --git a/.github/workflows/test-install-script.yml b/.github/workflows/test-install-script.yml index bfdccd37..d3477ac0 100644 --- a/.github/workflows/test-install-script.yml +++ b/.github/workflows/test-install-script.yml @@ -24,6 +24,7 @@ env: jobs: configure: runs-on: ubuntu-latest + permissions: {} env: # Placeholder value of the PROJECT_OWNER variable in the template script @@ -60,6 +61,7 @@ jobs: default: needs: configure + permissions: {} strategy: fail-fast: false @@ -92,6 +94,7 @@ jobs: bindir: needs: configure + permissions: {} strategy: fail-fast: false @@ -131,6 +134,7 @@ jobs: version: needs: configure + permissions: {} strategy: fail-fast: false @@ -166,6 +170,7 @@ jobs: nightly: needs: configure + permissions: {} strategy: fail-fast: false @@ -198,6 +203,7 @@ jobs: path-suggestions: needs: configure + permissions: {} strategy: fail-fast: false diff --git a/.github/workflows/test-python-poetry-task.yml b/.github/workflows/test-python-poetry-task.yml index 96e9ee79..e4be1133 100644 --- a/.github/workflows/test-python-poetry-task.yml +++ b/.github/workflows/test-python-poetry-task.yml @@ -35,6 +35,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -58,6 +59,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-action-metadata-task.yml b/workflow-templates/check-action-metadata-task.yml index 8eca242a..91ecba8d 100644 --- a/workflow-templates/check-action-metadata-task.yml +++ b/workflow-templates/check-action-metadata-task.yml @@ -31,6 +31,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -56,6 +57,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-certificates.yml b/workflow-templates/check-certificates.yml index acc9244b..d3d10e2e 100644 --- a/workflow-templates/check-certificates.yml +++ b/workflow-templates/check-certificates.yml @@ -25,6 +25,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -66,6 +67,7 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: {} strategy: fail-fast: false diff --git a/workflow-templates/check-files-task.yml b/workflow-templates/check-files-task.yml index bb5690ed..ba4f5da3 100644 --- a/workflow-templates/check-files-task.yml +++ b/workflow-templates/check-files-task.yml @@ -15,6 +15,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -58,6 +61,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-general-formatting-task.yml b/workflow-templates/check-general-formatting-task.yml index 7a19a414..ab7a1da0 100644 --- a/workflow-templates/check-general-formatting-task.yml +++ b/workflow-templates/check-general-formatting-task.yml @@ -15,6 +15,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables diff --git a/workflow-templates/check-go-dependencies-task.yml b/workflow-templates/check-go-dependencies-task.yml index 686f9500..3f2950fb 100644 --- a/workflow-templates/check-go-dependencies-task.yml +++ b/workflow-templates/check-go-dependencies-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -118,6 +121,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-go-task.yml b/workflow-templates/check-go-task.yml index 77c87cfa..a33ff2ff 100644 --- a/workflow-templates/check-go-task.yml +++ b/workflow-templates/check-go-task.yml @@ -31,6 +31,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -91,6 +94,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -128,6 +133,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -165,6 +172,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -202,6 +211,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/check-javascript-task.yml b/workflow-templates/check-javascript-task.yml index 0eb67590..3a673c89 100644 --- a/workflow-templates/check-javascript-task.yml +++ b/workflow-templates/check-javascript-task.yml @@ -29,12 +29,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -60,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-license.yml b/workflow-templates/check-license.yml index 7e262055..cc231427 100644 --- a/workflow-templates/check-license.yml +++ b/workflow-templates/check-license.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-markdown-task.yml b/workflow-templates/check-markdown-task.yml index a2001a8e..bacc784c 100644 --- a/workflow-templates/check-markdown-task.yml +++ b/workflow-templates/check-markdown-task.yml @@ -41,6 +41,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -66,6 +67,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -92,6 +95,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-mkdocs-task.yml b/workflow-templates/check-mkdocs-task.yml index 05606854..a6a4033d 100644 --- a/workflow-templates/check-mkdocs-task.yml +++ b/workflow-templates/check-mkdocs-task.yml @@ -33,6 +33,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -58,6 +59,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-npm-dependencies-task.yml b/workflow-templates/check-npm-dependencies-task.yml index d769e4b3..6601a729 100644 --- a/workflow-templates/check-npm-dependencies-task.yml +++ b/workflow-templates/check-npm-dependencies-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -118,6 +121,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-npm-task.yml b/workflow-templates/check-npm-task.yml index ba79f745..d20b591e 100644 --- a/workflow-templates/check-npm-task.yml +++ b/workflow-templates/check-npm-task.yml @@ -26,12 +26,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +55,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -80,6 +80,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-prettier-formatting-task.yml b/workflow-templates/check-prettier-formatting-task.yml index d999002f..0c664774 100644 --- a/workflow-templates/check-prettier-formatting-task.yml +++ b/workflow-templates/check-prettier-formatting-task.yml @@ -209,6 +209,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -234,6 +235,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-python-task.yml b/workflow-templates/check-python-task.yml index e3e3addb..d19d4fcf 100644 --- a/workflow-templates/check-python-task.yml +++ b/workflow-templates/check-python-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -91,6 +94,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-shell-task.yml b/workflow-templates/check-shell-task.yml index 0ff939ff..7d92e555 100644 --- a/workflow-templates/check-shell-task.yml +++ b/workflow-templates/check-shell-task.yml @@ -27,6 +27,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -53,6 +54,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read env: # See: https://github.com/koalaman/shellcheck/releases/latest @@ -121,6 +124,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables @@ -166,6 +171,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-taskfiles.yml b/workflow-templates/check-taskfiles.yml index 67ce8e69..e42d6500 100644 --- a/workflow-templates/check-taskfiles.yml +++ b/workflow-templates/check-taskfiles.yml @@ -29,6 +29,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -55,6 +56,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/check-toc-task.yml b/workflow-templates/check-toc-task.yml index b14b132b..86eebf14 100644 --- a/workflow-templates/check-toc-task.yml +++ b/workflow-templates/check-toc-task.yml @@ -31,6 +31,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/check-workflows-task.yml b/workflow-templates/check-workflows-task.yml index 635ae047..3a873bf4 100644 --- a/workflow-templates/check-workflows-task.yml +++ b/workflow-templates/check-workflows-task.yml @@ -28,6 +28,8 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-yaml-task.yml b/workflow-templates/check-yaml-task.yml index 8234b9a6..90a2c860 100644 --- a/workflow-templates/check-yaml-task.yml +++ b/workflow-templates/check-yaml-task.yml @@ -49,6 +49,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -75,6 +76,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml b/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml index 3605b779..848ae2d1 100644 --- a/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml +++ b/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml @@ -31,6 +31,7 @@ on: jobs: publish-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -56,6 +57,8 @@ jobs: runs-on: ubuntu-latest needs: publish-determination if: needs.publish-determination.outputs.result == 'true' + permissions: + contents: write steps: - name: Checkout repository diff --git a/workflow-templates/deploy-mkdocs-poetry.yml b/workflow-templates/deploy-mkdocs-poetry.yml index f01eb9aa..03b1e518 100644 --- a/workflow-templates/deploy-mkdocs-poetry.yml +++ b/workflow-templates/deploy-mkdocs-poetry.yml @@ -23,6 +23,8 @@ on: jobs: publish: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout repository diff --git a/workflow-templates/deploy-mkdocs-versioned-poetry.yml b/workflow-templates/deploy-mkdocs-versioned-poetry.yml index 7a1101ae..5ca957e6 100644 --- a/workflow-templates/deploy-mkdocs-versioned-poetry.yml +++ b/workflow-templates/deploy-mkdocs-versioned-poetry.yml @@ -24,6 +24,7 @@ on: jobs: publish-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -49,6 +50,8 @@ jobs: runs-on: ubuntu-latest needs: publish-determination if: needs.publish-determination.outputs.result == 'true' + permissions: + contents: write steps: - name: Checkout repository diff --git a/workflow-templates/publish-go-nightly-task.yml b/workflow-templates/publish-go-nightly-task.yml index 62e55ff8..de750146 100644 --- a/workflow-templates/publish-go-nightly-task.yml +++ b/workflow-templates/publish-go-nightly-task.yml @@ -21,6 +21,8 @@ on: jobs: create-nightly-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -66,6 +68,9 @@ jobs: checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }} checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }} + permissions: + contents: read + env: GON_CONFIG_PATH: gon.config.hcl @@ -167,6 +172,7 @@ jobs: publish-nightly: runs-on: ubuntu-latest needs: notarize-macos + permissions: {} steps: - name: Download artifact @@ -195,6 +201,7 @@ jobs: runs-on: ubuntu-latest needs: publish-nightly if: failure() # Run if publish-nightly or any of its job dependencies failed + permissions: {} steps: - name: Report failure diff --git a/workflow-templates/publish-go-tester-task.yml b/workflow-templates/publish-go-tester-task.yml index 589aadc0..1f43f210 100644 --- a/workflow-templates/publish-go-tester-task.yml +++ b/workflow-templates/publish-go-tester-task.yml @@ -34,6 +34,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -59,6 +60,7 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: {} outputs: prefix: ${{ steps.calculation.outputs.prefix }} steps: @@ -77,6 +79,8 @@ jobs: needs: package-name-prefix name: Build ${{ matrix.os.name }} runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -137,6 +141,8 @@ jobs: - build - package-name-prefix runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Download build artifacts diff --git a/workflow-templates/release-go-crosscompile-task.yml b/workflow-templates/release-go-crosscompile-task.yml index 4449c8c2..8a637790 100644 --- a/workflow-templates/release-go-crosscompile-task.yml +++ b/workflow-templates/release-go-crosscompile-task.yml @@ -20,6 +20,8 @@ on: jobs: create-release-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -75,6 +77,8 @@ jobs: name: Notarize ${{ matrix.artifact.name }} runs-on: macos-latest needs: create-release-artifacts + permissions: + contents: read env: GON_CONFIG_PATH: gon.config.hcl @@ -177,6 +181,8 @@ jobs: create-release: runs-on: ubuntu-latest needs: notarize-macos + permissions: + contents: write steps: - name: Download artifact diff --git a/workflow-templates/release-go-task.yml b/workflow-templates/release-go-task.yml index a35245c7..98205973 100644 --- a/workflow-templates/release-go-task.yml +++ b/workflow-templates/release-go-task.yml @@ -18,6 +18,8 @@ on: jobs: create-release-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -71,6 +73,8 @@ jobs: outputs: checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }} checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }} + permissions: + contents: read env: GON_CONFIG_PATH: gon.config.hcl @@ -173,6 +177,8 @@ jobs: create-release: runs-on: ubuntu-latest needs: notarize-macos + permissions: + contents: write steps: - name: Download artifact diff --git a/workflow-templates/release-tag.yml b/workflow-templates/release-tag.yml index f0573d1d..3d466e08 100644 --- a/workflow-templates/release-tag.yml +++ b/workflow-templates/release-tag.yml @@ -9,6 +9,8 @@ on: jobs: release: runs-on: ubuntu-latest + permissions: + contents: write env: # See: https://github.com/fsaintjacques/semver-tool/releases diff --git a/workflow-templates/spell-check-task.yml b/workflow-templates/spell-check-task.yml index c570c01a..770dd1fa 100644 --- a/workflow-templates/spell-check-task.yml +++ b/workflow-templates/spell-check-task.yml @@ -19,6 +19,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -44,6 +45,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/sync-labels-npm.yml b/workflow-templates/sync-labels-npm.yml index 79cef012..4ce3b5cc 100644 --- a/workflow-templates/sync-labels-npm.yml +++ b/workflow-templates/sync-labels-npm.yml @@ -30,6 +30,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -65,6 +67,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -91,6 +94,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables diff --git a/workflow-templates/sync-labels.yml b/workflow-templates/sync-labels.yml index 63c5b72a..3f94bab8 100644 --- a/workflow-templates/sync-labels.yml +++ b/workflow-templates/sync-labels.yml @@ -24,6 +24,8 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -55,6 +57,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -81,6 +84,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables diff --git a/workflow-templates/test-go-integration-task.yml b/workflow-templates/test-go-integration-task.yml index 988f7c28..c34247db 100644 --- a/workflow-templates/test-go-integration-task.yml +++ b/workflow-templates/test-go-integration-task.yml @@ -41,6 +41,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -63,6 +64,8 @@ jobs: test: needs: run-determination if: needs.run-determination.outputs.result == 'true' + permissions: + contents: read strategy: matrix: diff --git a/workflow-templates/test-go-task.yml b/workflow-templates/test-go-task.yml index 7194f778..36a07247 100644 --- a/workflow-templates/test-go-task.yml +++ b/workflow-templates/test-go-task.yml @@ -41,6 +41,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -64,6 +65,8 @@ jobs: name: test (${{ matrix.module.path }} - ${{ matrix.operating-system }}) needs: run-determination if: needs.run-determination.outputs.result == 'true' + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/test-python-poetry-task.yml b/workflow-templates/test-python-poetry-task.yml index 96e9ee79..e4be1133 100644 --- a/workflow-templates/test-python-poetry-task.yml +++ b/workflow-templates/test-python-poetry-task.yml @@ -35,6 +35,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -58,6 +59,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository