From b1a13bb740c22f840c627ea458cb6d173391b1b0 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 9 Oct 2024 01:07:18 +0200 Subject: [PATCH] gha: set default permissions to "contents: read" make the OpenSSF scorecard slightly happier; https://securityscorecards.dev/viewer/?uri=github.com/docker/buildx Warn: no topLevel permission defined: .github/workflows/build.yml:1 Warn: topLevel 'security-events' permission set to 'write': .github/workflows/codeql.yml:13 Warn: no topLevel permission defined: .github/workflows/docs-release.yml:1 Warn: no topLevel permission defined: .github/workflows/docs-upstream.yml:1 Warn: no topLevel permission defined: .github/workflows/e2e.yml:1 Warn: no topLevel permission defined: .github/workflows/labeler.yml:1 Warn: no topLevel permission defined: .github/workflows/validate.yml:1 Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build.yml | 9 +++++++++ .github/workflows/codeql.yml | 19 ++++++++++++++----- .github/workflows/docs-release.yml | 9 +++++++++ .github/workflows/docs-upstream.yml | 9 +++++++++ .github/workflows/e2e.yml | 9 +++++++++ .github/workflows/labeler.yml | 9 +++++++++ .github/workflows/validate.yml | 9 +++++++++ 7 files changed, 68 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 216f0bdd..129910fa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,14 @@ name: build +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1e67a3b1..bcc4cad7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,14 @@ name: codeql +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: push: branches: @@ -7,16 +16,16 @@ on: - 'v[0-9]*' pull_request: -permissions: - actions: read - contents: read - security-events: write - env: GO_VERSION: "1.22" jobs: codeql: + permissions: + actions: read + contents: read + security-events: write + runs-on: ubuntu-24.04 steps: - diff --git a/.github/workflows/docs-release.yml b/.github/workflows/docs-release.yml index 04f51650..5ac49234 100644 --- a/.github/workflows/docs-release.yml +++ b/.github/workflows/docs-release.yml @@ -1,5 +1,14 @@ name: docs-release +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: workflow_dispatch: inputs: diff --git a/.github/workflows/docs-upstream.yml b/.github/workflows/docs-upstream.yml index 13e2df95..046c9a47 100644 --- a/.github/workflows/docs-upstream.yml +++ b/.github/workflows/docs-upstream.yml @@ -3,6 +3,15 @@ # https://github.com/docker/docker.github.io/blob/98c7c9535063ae4cd2cd0a31478a21d16d2f07a3/docker-bake.hcl#L34-L36 name: docs-upstream +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 484e20fc..57dcff3f 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -1,5 +1,14 @@ name: e2e +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 1b75e534..39ad0fb5 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -1,5 +1,14 @@ name: labeler +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 3c042df1..8e0d623d 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,5 +1,14 @@ name: validate +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true