From 064ebe331aba3c7a1c39ddcc59343b8d9c8450f7 Mon Sep 17 00:00:00 2001 From: Ashish Kurmi <akurmi@stepsecurity.io> Date: Sun, 2 Oct 2022 10:07:15 -0700 Subject: [PATCH] ci: add minimum GitHub token permissions for workflows Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io> --- .github/workflows/async-history.yml | 3 +++ .github/workflows/db2.yml | 3 +++ .github/workflows/docker-release-with-latest.yml | 3 +++ .github/workflows/docker-release.yml | 3 +++ .github/workflows/flowable5.yml | 3 +++ .github/workflows/helm-release.yml | 5 +++++ .github/workflows/java-ea.yml | 3 +++ .github/workflows/main.yml | 3 +++ .github/workflows/mariadb.yml | 3 +++ .github/workflows/mysql.yml | 3 +++ .github/workflows/oracle.yml | 3 +++ .github/workflows/postgres.yml | 3 +++ .github/workflows/sql-server.yml | 3 +++ .github/workflows/windows.yml | 3 +++ 14 files changed, 44 insertions(+) diff --git a/.github/workflows/async-history.yml b/.github/workflows/async-history.yml index f667c13b302..6b016d07c1b 100644 --- a/.github/workflows/async-history.yml +++ b/.github/workflows/async-history.yml @@ -8,6 +8,9 @@ env: -B -V --no-transfer-progress -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: test_async: name: Async History ${{ matrix.engineModule }} diff --git a/.github/workflows/db2.yml b/.github/workflows/db2.yml index 88109712f36..52891ac0ce2 100644 --- a/.github/workflows/db2.yml +++ b/.github/workflows/db2.yml @@ -11,6 +11,9 @@ env: -B -V --no-transfer-progress -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: test_db2: name: DB2 ${{ matrix.db2 }} diff --git a/.github/workflows/docker-release-with-latest.yml b/.github/workflows/docker-release-with-latest.yml index b62bb3fa0aa..7ce0be4caf3 100644 --- a/.github/workflows/docker-release-with-latest.yml +++ b/.github/workflows/docker-release-with-latest.yml @@ -2,6 +2,9 @@ name: Release Docker Images With Latest on: workflow_dispatch +permissions: + contents: read + jobs: release_docker_images_with_latest: runs-on: ubuntu-latest diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index ee534c075d2..a1c3c9b101d 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -2,6 +2,9 @@ name: Release Docker Images on: workflow_dispatch +permissions: + contents: read + jobs: release_docker_images: runs-on: ubuntu-latest diff --git a/.github/workflows/flowable5.yml b/.github/workflows/flowable5.yml index b92d8700823..5b34e64a938 100644 --- a/.github/workflows/flowable5.yml +++ b/.github/workflows/flowable5.yml @@ -2,6 +2,9 @@ name: Flowable 5 Build on: [push] +permissions: + contents: read + jobs: test_jdk: name: Flowable 5 Tests diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 44036d6c91f..6d184fc3296 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -5,8 +5,13 @@ on: branches: - flowable-helm +permissions: + contents: read + jobs: release: + permissions: + contents: write # for helm/chart-releaser-action to push chart release and create a release runs-on: ubuntu-latest steps: - name: Checkout diff --git a/.github/workflows/java-ea.yml b/.github/workflows/java-ea.yml index 92395d21aee..fbfb37d26a2 100644 --- a/.github/workflows/java-ea.yml +++ b/.github/workflows/java-ea.yml @@ -11,6 +11,9 @@ env: -B -V --no-transfer-progress -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: test_jdkea: name: Linux (OpenJDK EA) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index d66b2b5d7f7..1f87c096836 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,6 +7,9 @@ env: -B -V --no-transfer-progress -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: test_jdk: name: Linux (JDK ${{ matrix.java }}) diff --git a/.github/workflows/mariadb.yml b/.github/workflows/mariadb.yml index 4393c5bf339..c29d1241621 100644 --- a/.github/workflows/mariadb.yml +++ b/.github/workflows/mariadb.yml @@ -13,6 +13,9 @@ env: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 # We explicitly don't use a container for running the job since there is some connectivity issues to MariaDB if that is done +permissions: + contents: read + jobs: test_mariadb: name: MariaDB ${{ matrix.mariadb }} diff --git a/.github/workflows/mysql.yml b/.github/workflows/mysql.yml index a2b0f6afdd4..6d8ae12ada7 100644 --- a/.github/workflows/mysql.yml +++ b/.github/workflows/mysql.yml @@ -13,6 +13,9 @@ env: -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 # We explicitly don't use a container for running the job since there is some connectivity issues to MySQL if that is done +permissions: + contents: read + jobs: test_mysql: name: MySQL ${{ matrix.mysql }} diff --git a/.github/workflows/oracle.yml b/.github/workflows/oracle.yml index 017b07abbb5..fe63c84802e 100644 --- a/.github/workflows/oracle.yml +++ b/.github/workflows/oracle.yml @@ -11,6 +11,9 @@ env: -B -V --no-transfer-progress -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: test_oracle: name: Oracle ${{ matrix.oracle }} diff --git a/.github/workflows/postgres.yml b/.github/workflows/postgres.yml index a30a5e40517..3920d1c1dde 100644 --- a/.github/workflows/postgres.yml +++ b/.github/workflows/postgres.yml @@ -12,6 +12,9 @@ env: -B -V --no-transfer-progress -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: test_postgres: name: Postgres ${{ matrix.postgres }} diff --git a/.github/workflows/sql-server.yml b/.github/workflows/sql-server.yml index b7b291fde86..b96765f3131 100644 --- a/.github/workflows/sql-server.yml +++ b/.github/workflows/sql-server.yml @@ -12,6 +12,9 @@ env: -B -V --no-transfer-progress -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: test_mssql: name: SQL Server ${{ matrix.mssql }} diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 50e881dcf50..b0018fdd915 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -7,6 +7,9 @@ env: -B -V --no-transfer-progress -D http.keepAlive=false -D maven.wagon.http.pool=false -D maven.wagon.httpconnectionManager.ttlSeconds=120 +permissions: + contents: read + jobs: windows: name: 'Windows'