Limit token permissions in GitHub workflows (#440)

See ea7e27ed41/docs/checks.md (token-permissions)
2024-11-23 18:02:13 +00:00 · 2024-11-13 19:01:45 -07:00 · 2024-11-13 19:01:45 -07:00 · 07e0f1c008
commit 07e0f1c008
parent af45dcfe3c
29 changed files with 129 additions and 17 deletions
--- a/.github/workflows/ci-codeql.yml
+++ b/.github/workflows/ci-codeql.yml
@ -16,6 +16,9 @@ on:
  schedule:
    - cron: '25 23 * * 2'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/ci-init-script-check.yml
+++ b/.github/workflows/ci-init-script-check.yml
@ -14,6 +14,9 @@ on:
      - 'sources/test/init-scripts/**'
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  test-init-scripts:
    runs-on: ubuntu-latest
--- a/.github/workflows/ci-integ-test-full.yml
+++ b/.github/workflows/ci-integ-test-full.yml
@ -6,13 +6,13 @@ on:
    paths:
    - 'dist/**'

-permissions:
-  contents: write
-
 concurrency:
  group: integ-test
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  caching-integ-tests:
    uses: ./.github/workflows/suite-integ-test-caching.yml
@ -25,6 +25,8 @@ jobs:
    secrets: inherit

  other-integ-tests:
+    permissions:
+      contents: write
    uses: ./.github/workflows/suite-integ-test-other.yml
    concurrency:
      group: CI-integ-test-full
--- a/.github/workflows/ci-integ-test.yml
+++ b/.github/workflows/ci-integ-test.yml
@ -11,13 +11,13 @@ on:
    paths-ignore:
    - 'dist/**'

-permissions:
-  contents: write
-
 concurrency:
  group: integ-test
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  build-distribution:
    runs-on: ubuntu-latest
@ -36,6 +36,8 @@ jobs:
    secrets: inherit

  other-integ-tests:
+    permissions:
+      contents: write
    needs: build-distribution
    uses: ./.github/workflows/suite-integ-test-other.yml
    with:
--- a/.github/workflows/ci-ossf-scorecard.yml
+++ b/.github/workflows/ci-ossf-scorecard.yml
@ -6,7 +6,8 @@ on:
    branches:
      - main

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  analysis:
--- a/.github/workflows/ci-update-dist.yml
+++ b/.github/workflows/ci-update-dist.yml
@ -10,10 +10,12 @@ on:
    - 'dist/**'

 permissions:
-  contents: write
+  contents: read

 jobs:
  update-dist:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/ci-validate-wrappers.yml
+++ b/.github/workflows/ci-validate-wrappers.yml
@ -4,6 +4,9 @@ on:
  push:
  pull_request:

+permissions:
+  contents: read
+
 jobs:
  validation:
    runs-on: ubuntu-latest
--- a/.github/workflows/demo-job-summary.yml
+++ b/.github/workflows/demo-job-summary.yml
@ -3,6 +3,9 @@ name: Demo Job Summary, for Gradle builds
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  build-distribution:
    runs-on: ubuntu-latest
--- a/.github/workflows/demo-pr-build-scan-comment.yml
+++ b/.github/workflows/demo-pr-build-scan-comment.yml
@ -4,7 +4,7 @@ on:
    types: [assigned, review_requested]

 permissions:
-  pull-requests: write
+  contents: read

 jobs:
  build-distribution:
@ -16,6 +16,8 @@ jobs:
      uses: ./.github/actions/build-dist

  successful-build-with-always-comment:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
@ -34,6 +36,8 @@ jobs:
      run: ./gradlew build --scan

  successful-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
@ -52,6 +56,8 @@ jobs:
      run: ./gradlew build --scan

  failing-build-with-comment-on-failure:
+    permissions:
+      pull-requests: write
    needs: build-distribution
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/integ-test-build-scan-publish.yml
+++ b/.github/workflows/integ-test-build-scan-publish.yml
@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  build-scan-publish:
    strategy:
--- a/.github/workflows/integ-test-cache-cleanup.yml
+++ b/.github/workflows/integ-test-cache-cleanup.yml
@ -18,6 +18,9 @@ env:
  # Requires a fresh cache entry each run
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}

+permissions:
+  contents: read
+
 jobs:
  cache-cleanup-full-build:
    strategy:
--- a/.github/workflows/integ-test-caching-config.yml
+++ b/.github/workflows/integ-test-caching-config.yml
@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  caching-config-seed-build:
    strategy:
--- a/.github/workflows/integ-test-dependency-graph.yml
+++ b/.github/workflows/integ-test-dependency-graph.yml
@ -13,14 +13,14 @@ on:
        type: boolean
        default: false

-permissions:
-  contents: write
-
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository

+permissions:
+  contents: read
+
 jobs:
  dependency-graph-groovy-upload:
    runs-on: "ubuntu-latest"
@ -39,6 +39,8 @@ jobs:
      working-directory: .github/workflow-samples/groovy-dsl

  dependency-graph-groovy-submit:
+    permissions:
+      contents: write
    needs: [dependency-graph-groovy-upload]
    runs-on: "ubuntu-latest"
    steps:
@ -55,6 +57,8 @@ jobs:
        DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload

  dependency-graph-kotlin-generate-and-submit:
+    permissions:
+      contents: write
    runs-on: "ubuntu-latest"
    steps:
    - name: Checkout sources
@ -71,6 +75,8 @@ jobs:
      working-directory: .github/workflow-samples/kotlin-dsl

  dependency-graph-multiple-builds:
+    permissions:
+      contents: write
    runs-on: "ubuntu-latest"
    steps:
    - name: Checkout sources
@ -112,6 +118,8 @@ jobs:
        fi
        
  dependency-graph-config-cache:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
--- a/.github/workflows/integ-test-dependency-submission-failures.yml
+++ b/.github/workflows/integ-test-dependency-submission-failures.yml
@ -18,6 +18,9 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository

+permissions:
+  contents: read
+
 jobs:
  dependency-submission-failures-failing-build:
    runs-on: ubuntu-latest
--- a/.github/workflows/integ-test-dependency-submission.yml
+++ b/.github/workflows/integ-test-dependency-submission.yml
@ -13,16 +13,18 @@ on:
        type: boolean
        default: false

-permissions:
-  contents: write
-
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
  GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository

+permissions:
+  contents: read
+
 jobs:
  dependency-submission-groovy-generate-and-upload:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@ -45,6 +47,8 @@ jobs:
        GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission

  dependency-submission-groovy-restore-cache:
+    permissions:
+      contents: write
    needs: [dependency-submission-groovy-generate-and-upload]
    strategy:
      max-parallel: 1
@ -67,6 +71,8 @@ jobs:
        GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission

  dependency-submission-groovy-download-and-submit:
+    permissions:
+      contents: write
    needs: [dependency-submission-groovy-generate-and-upload]
    strategy:
      max-parallel: 1
@ -88,6 +94,8 @@ jobs:
        DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}

  dependency-submission-kotlin-generate-and-submit:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@ -106,6 +114,8 @@ jobs:
        build-root-directory: .github/workflow-samples/kotlin-dsl

  dependency-submission-multiple-builds:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@ -152,6 +162,8 @@ jobs:
        fi

  dependency-submission-multiple-builds-upload:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@ -176,6 +188,8 @@ jobs:
        build-root-directory: .github/workflow-samples/groovy-dsl

  dependency-submission-config-cache:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
@ -211,6 +225,8 @@ jobs:
        fi

  dependency-submission-gradle-versions:
+    permissions:
+      contents: write
    strategy:
      fail-fast: false
      matrix:
@ -235,6 +251,8 @@ jobs:
        build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}

  dependency-submission-with-setup-gradle:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
@ -270,6 +288,8 @@ jobs:
        fi

  dependency-submission-with-includes-and-excludes:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest # Test is not compatible with Windows
    steps:
    - name: Checkout sources
@ -304,6 +324,8 @@ jobs:


  dependency-submission-custom-report-dir-submit:
+    permissions:
+      contents: write
    strategy:
      max-parallel: 1
      fail-fast: false
@ -339,6 +361,8 @@ jobs:
        fi

  dependency-submission-custom-report-dir-upload:
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
    - name: Checkout sources
@ -355,6 +379,8 @@ jobs:
        build-root-directory: .github/workflow-samples/groovy-dsl

  custom-report-dir-download-and-submit:
+    permissions:
+      contents: write
    needs: [dependency-submission-custom-report-dir-upload]
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/integ-test-detect-toolchains.yml
+++ b/.github/workflows/integ-test-detect-toolchains.yml
@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  # Test that pre-installed runner JDKs are detected
  detect-toolchains-pre-installed-jdks:
--- a/.github/workflows/integ-test-inject-develocity.yml
+++ b/.github/workflows/integ-test-inject-develocity.yml
@ -20,6 +20,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  inject-develocity:
    env:
--- a/.github/workflows/integ-test-provision-gradle-versions.yml
+++ b/.github/workflows/integ-test-provision-gradle-versions.yml
@ -18,6 +18,9 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
  GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true

+permissions:
+  contents: read
+
 jobs:   
  # Tests for executing with different Gradle versions. 
  # Each build verifies that it is executed with the expected Gradle version.
--- a/.github/workflows/integ-test-restore-configuration-cache.yml
+++ b/.github/workflows/integ-test-restore-configuration-cache.yml
@ -20,6 +20,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-cc-seed-build-groovy:
    env:
--- a/.github/workflows/integ-test-restore-containerized-gradle-home.yml
+++ b/.github/workflows/integ-test-restore-containerized-gradle-home.yml
@ -14,6 +14,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-containerized-seed-build:
    runs-on: ubuntu-latest
--- a/.github/workflows/integ-test-restore-custom-gradle-home.yml
+++ b/.github/workflows/integ-test-restore-custom-gradle-home.yml
@ -14,6 +14,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-custom-gradle-home-seed-build:
    runs-on: ubuntu-latest
--- a/.github/workflows/integ-test-restore-gradle-home.yml
+++ b/.github/workflows/integ-test-restore-gradle-home.yml
@ -18,6 +18,9 @@ env:
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
  GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home

+permissions:
+  contents: read
+
 jobs:
  restore-gradle-home-seed-build:
    strategy:
--- a/.github/workflows/integ-test-restore-java-toolchain.yml
+++ b/.github/workflows/integ-test-restore-java-toolchain.yml
@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  restore-java-toolchain-seed-build:
    strategy:
--- a/.github/workflows/integ-test-sample-gradle-plugin.yml
+++ b/.github/workflows/integ-test-sample-gradle-plugin.yml
@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  sample-gradle-plugin-seed-build:
    strategy:
--- a/.github/workflows/integ-test-sample-kotlin-dsl.yml
+++ b/.github/workflows/integ-test-sample-kotlin-dsl.yml
@ -17,6 +17,9 @@ env:
  SKIP_DIST: ${{ inputs.skip-dist }}
  GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}

+permissions:
+  contents: read
+
 jobs:
  sample-kotlin-dsl-seed-build:
    strategy:
--- a/.github/workflows/integ-test-wrapper-validation.yml
+++ b/.github/workflows/integ-test-wrapper-validation.yml
@ -13,6 +13,9 @@ on:
 env:
  SKIP_DIST: ${{ inputs.skip-dist }}

+permissions:
+  contents: read
+
 jobs:
  wrapper-validation-setup-gradle:
    strategy:
--- a/.github/workflows/suite-integ-test-caching.yml
+++ b/.github/workflows/suite-integ-test-caching.yml
@ -10,6 +10,9 @@ on:
        type: boolean
        default: false

+permissions:
+  contents: read
+
 jobs:
  cache-cleanup:
    uses: ./.github/workflows/integ-test-cache-cleanup.yml
--- a/.github/workflows/suite-integ-test-other.yml
+++ b/.github/workflows/suite-integ-test-other.yml
@ -10,6 +10,9 @@ on:
        type: boolean
        default: false

+permissions:
+  contents: read
+
 jobs:
  build-scan-publish:
    uses: ./.github/workflows/integ-test-build-scan-publish.yml
--- a/.github/workflows/update-checksums-file.yml
+++ b/.github/workflows/update-checksums-file.yml
@ -7,11 +7,13 @@ on:
  workflow_dispatch:

 permissions:
-  contents: write
-  pull-requests: write
+  contents: read

 jobs:
  update-checksums:
+    permissions:
+      contents: write
+      pull-requests: write
    name: Update checksums
    runs-on: ubuntu-latest