fix(ci): tighten GHA permissions (#110)

Azure · Jan 26, 2024 · 31b0dfc · 31b0dfc
1 parent a7a58e2
commit 31b0dfc
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 8 deletions.
diff --git a/.github/workflows/build-publish-mcr.yml b/.github/workflows/build-publish-mcr.yml
@@ -10,8 +10,7 @@ on:
         type: string
 
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
+  contents: read
 
 env:
   REGISTRY_REPO: unlisted/aks/karpenter
@@ -41,6 +40,8 @@ jobs:
           echo "release_tag=$RELEASE_TAG" >> $GITHUB_OUTPUT
 
   publish-images:
+    permissions:
+      id-token: write # This is required for requesting the JWT
     runs-on: ubuntu-latest
     needs: prepare-variables
     steps:

diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml
@@ -4,8 +4,12 @@ on:
     branches: [main]
   pull_request:
   workflow_dispatch:
+permissions:
+  contents: read
 jobs:
   ci-test:
+    permissions:
+      statuses: write
     runs-on: ubuntu-latest
     strategy:
       matrix:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,8 @@ on:
     branches: [main]
   pull_request:
   workflow_dispatch:
+permissions:
+  contents: read    
 jobs:
   ci:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/deflake.yml b/.github/workflows/deflake.yml
@@ -3,9 +3,14 @@ on:
   schedule:
     - cron: '0 12 * * *'
   workflow_dispatch:
+
+permissions:
+  contents: read
 jobs:
   deflake:
     runs-on: ubuntu-latest
+    permissions:
+      statuses: write
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1

diff --git a/.github/workflows/e2e-matrix-trigger.yaml b/.github/workflows/e2e-matrix-trigger.yaml
@@ -11,15 +11,18 @@ on:
   workflow_run:
     workflows: [ApprovalComment]
     types: [completed]
+
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-  statuses: write # ./.github/actions/commit-status/*
+  contents: read
+
 jobs:
   resolve:
     if: github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success'
     uses: ./.github/workflows/resolve-args.yaml
   e2e-matrix:
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      statuses: write # ./.github/actions/commit-status/*          
     needs: [resolve]
     uses: ./.github/workflows/e2e-matrix.yaml
     with:

diff --git a/.github/workflows/e2e-matrix.yaml b/.github/workflows/e2e-matrix.yaml
@@ -18,6 +18,10 @@ on:
         required: true
       E2E_SUBSCRIPTION_ID:
         required: true
+
+permissions:
+  contents: read
+
 jobs:
   initialize-generative-params:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -24,14 +24,17 @@ on:
         required: true
       E2E_SUBSCRIPTION_ID:
         required: true
+
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-  statuses: write # ./.github/actions/commit-status/*
+  contents: read
+
 jobs:
   run-suite:
     name: suite-${{ inputs.suite }}
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      statuses: write # ./.github/actions/commit-status/*      
     env:
       AZURE_SUBSCRIPTION_ID: ${{ secrets.E2E_SUBSCRIPTION_ID }}
     steps:

diff --git a/.github/workflows/resolve-args.yaml b/.github/workflows/resolve-args.yaml
@@ -4,6 +4,10 @@ on:
     outputs:
       GIT_REF:
         value: ${{ jobs.resolve.outputs.GIT_REF }}
+
+permissions:
+  contents: read
+
 jobs:
   resolve:
     runs-on: ubuntu-latest