From 07e0f1c008d62557a2cfc268d4800d2287a44d78 Mon Sep 17 00:00:00 2001 From: Daz DeBoer Date: Wed, 13 Nov 2024 19:01:45 -0700 Subject: [PATCH] Limit token permissions in GitHub workflows (#440) See https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions --- .github/workflows/ci-codeql.yml | 3 ++ .github/workflows/ci-init-script-check.yml | 3 ++ .github/workflows/ci-integ-test-full.yml | 8 +++-- .github/workflows/ci-integ-test.yml | 8 +++-- .github/workflows/ci-ossf-scorecard.yml | 3 +- .github/workflows/ci-update-dist.yml | 4 ++- .github/workflows/ci-validate-wrappers.yml | 3 ++ .github/workflows/demo-job-summary.yml | 3 ++ .../workflows/demo-pr-build-scan-comment.yml | 8 ++++- .../integ-test-build-scan-publish.yml | 3 ++ .../workflows/integ-test-cache-cleanup.yml | 3 ++ .../workflows/integ-test-caching-config.yml | 3 ++ .../workflows/integ-test-dependency-graph.yml | 14 ++++++-- ...eg-test-dependency-submission-failures.yml | 3 ++ .../integ-test-dependency-submission.yml | 32 +++++++++++++++++-- .../integ-test-detect-toolchains.yml | 3 ++ .../integ-test-inject-develocity.yml | 3 ++ .../integ-test-provision-gradle-versions.yml | 3 ++ ...integ-test-restore-configuration-cache.yml | 3 ++ ...test-restore-containerized-gradle-home.yml | 3 ++ .../integ-test-restore-custom-gradle-home.yml | 3 ++ .../integ-test-restore-gradle-home.yml | 3 ++ .../integ-test-restore-java-toolchain.yml | 3 ++ .../integ-test-sample-gradle-plugin.yml | 3 ++ .../integ-test-sample-kotlin-dsl.yml | 3 ++ .../integ-test-wrapper-validation.yml | 3 ++ .../workflows/suite-integ-test-caching.yml | 3 ++ .github/workflows/suite-integ-test-other.yml | 3 ++ .github/workflows/update-checksums-file.yml | 6 ++-- 29 files changed, 129 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci-codeql.yml b/.github/workflows/ci-codeql.yml index 09ebb14..e0c9814 100644 --- a/.github/workflows/ci-codeql.yml +++ b/.github/workflows/ci-codeql.yml @@ -16,6 +16,9 @@ on: schedule: - cron: '25 23 * * 2' +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/ci-init-script-check.yml b/.github/workflows/ci-init-script-check.yml index 48e9965..bd2dd1a 100644 --- a/.github/workflows/ci-init-script-check.yml +++ b/.github/workflows/ci-init-script-check.yml @@ -14,6 +14,9 @@ on: - 'sources/test/init-scripts/**' workflow_dispatch: +permissions: + contents: read + jobs: test-init-scripts: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-integ-test-full.yml b/.github/workflows/ci-integ-test-full.yml index dcb73b5..9e205a3 100644 --- a/.github/workflows/ci-integ-test-full.yml +++ b/.github/workflows/ci-integ-test-full.yml @@ -6,13 +6,13 @@ on: paths: - 'dist/**' -permissions: - contents: write - concurrency: group: integ-test cancel-in-progress: false +permissions: + contents: read + jobs: caching-integ-tests: uses: ./.github/workflows/suite-integ-test-caching.yml @@ -25,6 +25,8 @@ jobs: secrets: inherit other-integ-tests: + permissions: + contents: write uses: ./.github/workflows/suite-integ-test-other.yml concurrency: group: CI-integ-test-full diff --git a/.github/workflows/ci-integ-test.yml b/.github/workflows/ci-integ-test.yml index 3f4bd23..4a5cc31 100644 --- a/.github/workflows/ci-integ-test.yml +++ b/.github/workflows/ci-integ-test.yml @@ -11,13 +11,13 @@ on: paths-ignore: - 'dist/**' -permissions: - contents: write - concurrency: group: integ-test cancel-in-progress: false +permissions: + contents: read + jobs: build-distribution: runs-on: ubuntu-latest @@ -36,6 +36,8 @@ jobs: secrets: inherit other-integ-tests: + permissions: + contents: write needs: build-distribution uses: ./.github/workflows/suite-integ-test-other.yml with: diff --git a/.github/workflows/ci-ossf-scorecard.yml b/.github/workflows/ci-ossf-scorecard.yml index 16c77dc..4a5d8a1 100644 --- a/.github/workflows/ci-ossf-scorecard.yml +++ b/.github/workflows/ci-ossf-scorecard.yml @@ -6,7 +6,8 @@ on: branches: - main -permissions: read-all +permissions: + contents: read jobs: analysis: diff --git a/.github/workflows/ci-update-dist.yml b/.github/workflows/ci-update-dist.yml index 392aa9b..80c20f3 100644 --- a/.github/workflows/ci-update-dist.yml +++ b/.github/workflows/ci-update-dist.yml @@ -10,10 +10,12 @@ on: - 'dist/**' permissions: - contents: write + contents: read jobs: update-dist: + permissions: + contents: write runs-on: ubuntu-latest steps: diff --git a/.github/workflows/ci-validate-wrappers.yml b/.github/workflows/ci-validate-wrappers.yml index d1a8294..ba24392 100644 --- a/.github/workflows/ci-validate-wrappers.yml +++ b/.github/workflows/ci-validate-wrappers.yml @@ -4,6 +4,9 @@ on: push: pull_request: +permissions: + contents: read + jobs: validation: runs-on: ubuntu-latest diff --git a/.github/workflows/demo-job-summary.yml b/.github/workflows/demo-job-summary.yml index a679321..14bdd3e 100644 --- a/.github/workflows/demo-job-summary.yml +++ b/.github/workflows/demo-job-summary.yml @@ -3,6 +3,9 @@ name: Demo Job Summary, for Gradle builds on: workflow_dispatch: +permissions: + contents: read + jobs: build-distribution: runs-on: ubuntu-latest diff --git a/.github/workflows/demo-pr-build-scan-comment.yml b/.github/workflows/demo-pr-build-scan-comment.yml index 9150714..c9c230f 100644 --- a/.github/workflows/demo-pr-build-scan-comment.yml +++ b/.github/workflows/demo-pr-build-scan-comment.yml @@ -4,7 +4,7 @@ on: types: [assigned, review_requested] permissions: - pull-requests: write + contents: read jobs: build-distribution: @@ -16,6 +16,8 @@ jobs: uses: ./.github/actions/build-dist successful-build-with-always-comment: + permissions: + pull-requests: write needs: build-distribution runs-on: ubuntu-latest steps: @@ -34,6 +36,8 @@ jobs: run: ./gradlew build --scan successful-build-with-comment-on-failure: + permissions: + pull-requests: write needs: build-distribution runs-on: ubuntu-latest steps: @@ -52,6 +56,8 @@ jobs: run: ./gradlew build --scan failing-build-with-comment-on-failure: + permissions: + pull-requests: write needs: build-distribution runs-on: ubuntu-latest steps: diff --git a/.github/workflows/integ-test-build-scan-publish.yml b/.github/workflows/integ-test-build-scan-publish.yml index 0bdb730..5afe83e 100644 --- a/.github/workflows/integ-test-build-scan-publish.yml +++ b/.github/workflows/integ-test-build-scan-publish.yml @@ -17,6 +17,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: build-scan-publish: strategy: diff --git a/.github/workflows/integ-test-cache-cleanup.yml b/.github/workflows/integ-test-cache-cleanup.yml index 5916c1a..40790e4 100644 --- a/.github/workflows/integ-test-cache-cleanup.yml +++ b/.github/workflows/integ-test-cache-cleanup.yml @@ -18,6 +18,9 @@ env: # Requires a fresh cache entry each run GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}} +permissions: + contents: read + jobs: cache-cleanup-full-build: strategy: diff --git a/.github/workflows/integ-test-caching-config.yml b/.github/workflows/integ-test-caching-config.yml index 1653ec9..09c5c5b 100644 --- a/.github/workflows/integ-test-caching-config.yml +++ b/.github/workflows/integ-test-caching-config.yml @@ -17,6 +17,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: caching-config-seed-build: strategy: diff --git a/.github/workflows/integ-test-dependency-graph.yml b/.github/workflows/integ-test-dependency-graph.yml index efbbca6..8a4aad4 100644 --- a/.github/workflows/integ-test-dependency-graph.yml +++ b/.github/workflows/integ-test-dependency-graph.yml @@ -13,14 +13,14 @@ on: type: boolean default: false -permissions: - contents: write - env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }} GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository +permissions: + contents: read + jobs: dependency-graph-groovy-upload: runs-on: "ubuntu-latest" @@ -39,6 +39,8 @@ jobs: working-directory: .github/workflow-samples/groovy-dsl dependency-graph-groovy-submit: + permissions: + contents: write needs: [dependency-graph-groovy-upload] runs-on: "ubuntu-latest" steps: @@ -55,6 +57,8 @@ jobs: DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload dependency-graph-kotlin-generate-and-submit: + permissions: + contents: write runs-on: "ubuntu-latest" steps: - name: Checkout sources @@ -71,6 +75,8 @@ jobs: working-directory: .github/workflow-samples/kotlin-dsl dependency-graph-multiple-builds: + permissions: + contents: write runs-on: "ubuntu-latest" steps: - name: Checkout sources @@ -112,6 +118,8 @@ jobs: fi dependency-graph-config-cache: + permissions: + contents: write runs-on: ubuntu-latest # Test is not compatible with Windows steps: - name: Checkout sources diff --git a/.github/workflows/integ-test-dependency-submission-failures.yml b/.github/workflows/integ-test-dependency-submission-failures.yml index 613c46e..84d9a60 100644 --- a/.github/workflows/integ-test-dependency-submission-failures.yml +++ b/.github/workflows/integ-test-dependency-submission-failures.yml @@ -18,6 +18,9 @@ env: GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }} GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository +permissions: + contents: read + jobs: dependency-submission-failures-failing-build: runs-on: ubuntu-latest diff --git a/.github/workflows/integ-test-dependency-submission.yml b/.github/workflows/integ-test-dependency-submission.yml index 36ecf73..4fbb992 100644 --- a/.github/workflows/integ-test-dependency-submission.yml +++ b/.github/workflows/integ-test-dependency-submission.yml @@ -13,16 +13,18 @@ on: type: boolean default: false -permissions: - contents: write - env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }} GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository +permissions: + contents: read + jobs: dependency-submission-groovy-generate-and-upload: + permissions: + contents: write strategy: max-parallel: 1 fail-fast: false @@ -45,6 +47,8 @@ jobs: GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission dependency-submission-groovy-restore-cache: + permissions: + contents: write needs: [dependency-submission-groovy-generate-and-upload] strategy: max-parallel: 1 @@ -67,6 +71,8 @@ jobs: GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission dependency-submission-groovy-download-and-submit: + permissions: + contents: write needs: [dependency-submission-groovy-generate-and-upload] strategy: max-parallel: 1 @@ -88,6 +94,8 @@ jobs: DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }} dependency-submission-kotlin-generate-and-submit: + permissions: + contents: write strategy: max-parallel: 1 fail-fast: false @@ -106,6 +114,8 @@ jobs: build-root-directory: .github/workflow-samples/kotlin-dsl dependency-submission-multiple-builds: + permissions: + contents: write strategy: max-parallel: 1 fail-fast: false @@ -152,6 +162,8 @@ jobs: fi dependency-submission-multiple-builds-upload: + permissions: + contents: write strategy: max-parallel: 1 fail-fast: false @@ -176,6 +188,8 @@ jobs: build-root-directory: .github/workflow-samples/groovy-dsl dependency-submission-config-cache: + permissions: + contents: write runs-on: ubuntu-latest # Test is not compatible with Windows steps: - name: Checkout sources @@ -211,6 +225,8 @@ jobs: fi dependency-submission-gradle-versions: + permissions: + contents: write strategy: fail-fast: false matrix: @@ -235,6 +251,8 @@ jobs: build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }} dependency-submission-with-setup-gradle: + permissions: + contents: write runs-on: ubuntu-latest # Test is not compatible with Windows steps: - name: Checkout sources @@ -270,6 +288,8 @@ jobs: fi dependency-submission-with-includes-and-excludes: + permissions: + contents: write runs-on: ubuntu-latest # Test is not compatible with Windows steps: - name: Checkout sources @@ -304,6 +324,8 @@ jobs: dependency-submission-custom-report-dir-submit: + permissions: + contents: write strategy: max-parallel: 1 fail-fast: false @@ -339,6 +361,8 @@ jobs: fi dependency-submission-custom-report-dir-upload: + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Checkout sources @@ -355,6 +379,8 @@ jobs: build-root-directory: .github/workflow-samples/groovy-dsl custom-report-dir-download-and-submit: + permissions: + contents: write needs: [dependency-submission-custom-report-dir-upload] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/integ-test-detect-toolchains.yml b/.github/workflows/integ-test-detect-toolchains.yml index 922c4ec..5bdc3bf 100644 --- a/.github/workflows/integ-test-detect-toolchains.yml +++ b/.github/workflows/integ-test-detect-toolchains.yml @@ -17,6 +17,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: # Test that pre-installed runner JDKs are detected detect-toolchains-pre-installed-jdks: diff --git a/.github/workflows/integ-test-inject-develocity.yml b/.github/workflows/integ-test-inject-develocity.yml index 7653959..8c92715 100644 --- a/.github/workflows/integ-test-inject-develocity.yml +++ b/.github/workflows/integ-test-inject-develocity.yml @@ -20,6 +20,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: inject-develocity: env: diff --git a/.github/workflows/integ-test-provision-gradle-versions.yml b/.github/workflows/integ-test-provision-gradle-versions.yml index 8ff1f17..dcad38f 100644 --- a/.github/workflows/integ-test-provision-gradle-versions.yml +++ b/.github/workflows/integ-test-provision-gradle-versions.yml @@ -18,6 +18,9 @@ env: GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true +permissions: + contents: read + jobs: # Tests for executing with different Gradle versions. # Each build verifies that it is executed with the expected Gradle version. diff --git a/.github/workflows/integ-test-restore-configuration-cache.yml b/.github/workflows/integ-test-restore-configuration-cache.yml index facab62..ad02016 100644 --- a/.github/workflows/integ-test-restore-configuration-cache.yml +++ b/.github/workflows/integ-test-restore-configuration-cache.yml @@ -20,6 +20,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: restore-cc-seed-build-groovy: env: diff --git a/.github/workflows/integ-test-restore-containerized-gradle-home.yml b/.github/workflows/integ-test-restore-containerized-gradle-home.yml index f05e2bb..067104d 100644 --- a/.github/workflows/integ-test-restore-containerized-gradle-home.yml +++ b/.github/workflows/integ-test-restore-containerized-gradle-home.yml @@ -14,6 +14,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: restore-containerized-seed-build: runs-on: ubuntu-latest diff --git a/.github/workflows/integ-test-restore-custom-gradle-home.yml b/.github/workflows/integ-test-restore-custom-gradle-home.yml index 6ef66e8..d5a9ec0 100644 --- a/.github/workflows/integ-test-restore-custom-gradle-home.yml +++ b/.github/workflows/integ-test-restore-custom-gradle-home.yml @@ -14,6 +14,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: restore-custom-gradle-home-seed-build: runs-on: ubuntu-latest diff --git a/.github/workflows/integ-test-restore-gradle-home.yml b/.github/workflows/integ-test-restore-gradle-home.yml index 5ebe70f..34af46a 100644 --- a/.github/workflows/integ-test-restore-gradle-home.yml +++ b/.github/workflows/integ-test-restore-gradle-home.yml @@ -18,6 +18,9 @@ env: GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home +permissions: + contents: read + jobs: restore-gradle-home-seed-build: strategy: diff --git a/.github/workflows/integ-test-restore-java-toolchain.yml b/.github/workflows/integ-test-restore-java-toolchain.yml index bda00cc..a3e8e87 100644 --- a/.github/workflows/integ-test-restore-java-toolchain.yml +++ b/.github/workflows/integ-test-restore-java-toolchain.yml @@ -17,6 +17,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: restore-java-toolchain-seed-build: strategy: diff --git a/.github/workflows/integ-test-sample-gradle-plugin.yml b/.github/workflows/integ-test-sample-gradle-plugin.yml index 8c5d3fe..c8db19f 100644 --- a/.github/workflows/integ-test-sample-gradle-plugin.yml +++ b/.github/workflows/integ-test-sample-gradle-plugin.yml @@ -17,6 +17,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: sample-gradle-plugin-seed-build: strategy: diff --git a/.github/workflows/integ-test-sample-kotlin-dsl.yml b/.github/workflows/integ-test-sample-kotlin-dsl.yml index 4fae2a3..ce38171 100644 --- a/.github/workflows/integ-test-sample-kotlin-dsl.yml +++ b/.github/workflows/integ-test-sample-kotlin-dsl.yml @@ -17,6 +17,9 @@ env: SKIP_DIST: ${{ inputs.skip-dist }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }} +permissions: + contents: read + jobs: sample-kotlin-dsl-seed-build: strategy: diff --git a/.github/workflows/integ-test-wrapper-validation.yml b/.github/workflows/integ-test-wrapper-validation.yml index c80fab5..523e85d 100644 --- a/.github/workflows/integ-test-wrapper-validation.yml +++ b/.github/workflows/integ-test-wrapper-validation.yml @@ -13,6 +13,9 @@ on: env: SKIP_DIST: ${{ inputs.skip-dist }} +permissions: + contents: read + jobs: wrapper-validation-setup-gradle: strategy: diff --git a/.github/workflows/suite-integ-test-caching.yml b/.github/workflows/suite-integ-test-caching.yml index f3e3b9b..40d5d8f 100644 --- a/.github/workflows/suite-integ-test-caching.yml +++ b/.github/workflows/suite-integ-test-caching.yml @@ -10,6 +10,9 @@ on: type: boolean default: false +permissions: + contents: read + jobs: cache-cleanup: uses: ./.github/workflows/integ-test-cache-cleanup.yml diff --git a/.github/workflows/suite-integ-test-other.yml b/.github/workflows/suite-integ-test-other.yml index c36eb22..00a5914 100644 --- a/.github/workflows/suite-integ-test-other.yml +++ b/.github/workflows/suite-integ-test-other.yml @@ -10,6 +10,9 @@ on: type: boolean default: false +permissions: + contents: read + jobs: build-scan-publish: uses: ./.github/workflows/integ-test-build-scan-publish.yml diff --git a/.github/workflows/update-checksums-file.yml b/.github/workflows/update-checksums-file.yml index ec97161..b40f0a3 100644 --- a/.github/workflows/update-checksums-file.yml +++ b/.github/workflows/update-checksums-file.yml @@ -7,11 +7,13 @@ on: workflow_dispatch: permissions: - contents: write - pull-requests: write + contents: read jobs: update-checksums: + permissions: + contents: write + pull-requests: write name: Update checksums runs-on: ubuntu-latest