From 064ebe331aba3c7a1c39ddcc59343b8d9c8450f7 Mon Sep 17 00:00:00 2001
From: Ashish Kurmi <akurmi@stepsecurity.io>
Date: Sun, 2 Oct 2022 10:07:15 -0700
Subject: [PATCH] ci: add minimum GitHub token permissions for workflows
 Signed-off-by: Ashish Kurmi <akurmi@stepsecurity.io>

---
 .github/workflows/async-history.yml              | 3 +++
 .github/workflows/db2.yml                        | 3 +++
 .github/workflows/docker-release-with-latest.yml | 3 +++
 .github/workflows/docker-release.yml             | 3 +++
 .github/workflows/flowable5.yml                  | 3 +++
 .github/workflows/helm-release.yml               | 5 +++++
 .github/workflows/java-ea.yml                    | 3 +++
 .github/workflows/main.yml                       | 3 +++
 .github/workflows/mariadb.yml                    | 3 +++
 .github/workflows/mysql.yml                      | 3 +++
 .github/workflows/oracle.yml                     | 3 +++
 .github/workflows/postgres.yml                   | 3 +++
 .github/workflows/sql-server.yml                 | 3 +++
 .github/workflows/windows.yml                    | 3 +++
 14 files changed, 44 insertions(+)

diff --git a/.github/workflows/async-history.yml b/.github/workflows/async-history.yml
index f667c13b302..6b016d07c1b 100644
--- a/.github/workflows/async-history.yml
+++ b/.github/workflows/async-history.yml
@@ -8,6 +8,9 @@ env:
     -B -V --no-transfer-progress
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   test_async:
     name: Async History ${{ matrix.engineModule }}
diff --git a/.github/workflows/db2.yml b/.github/workflows/db2.yml
index 88109712f36..52891ac0ce2 100644
--- a/.github/workflows/db2.yml
+++ b/.github/workflows/db2.yml
@@ -11,6 +11,9 @@ env:
     -B -V --no-transfer-progress
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   test_db2:
     name: DB2 ${{ matrix.db2 }}
diff --git a/.github/workflows/docker-release-with-latest.yml b/.github/workflows/docker-release-with-latest.yml
index b62bb3fa0aa..7ce0be4caf3 100644
--- a/.github/workflows/docker-release-with-latest.yml
+++ b/.github/workflows/docker-release-with-latest.yml
@@ -2,6 +2,9 @@ name: Release Docker Images With Latest
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   release_docker_images_with_latest:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index ee534c075d2..a1c3c9b101d 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -2,6 +2,9 @@ name: Release Docker Images
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   release_docker_images:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/flowable5.yml b/.github/workflows/flowable5.yml
index b92d8700823..5b34e64a938 100644
--- a/.github/workflows/flowable5.yml
+++ b/.github/workflows/flowable5.yml
@@ -2,6 +2,9 @@ name: Flowable 5 Build
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   test_jdk:
     name: Flowable 5 Tests
diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml
index 44036d6c91f..6d184fc3296 100644
--- a/.github/workflows/helm-release.yml
+++ b/.github/workflows/helm-release.yml
@@ -5,8 +5,13 @@ on:
     branches:
       - flowable-helm
 
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      contents: write  # for helm/chart-releaser-action to push chart release and create a release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
diff --git a/.github/workflows/java-ea.yml b/.github/workflows/java-ea.yml
index 92395d21aee..fbfb37d26a2 100644
--- a/.github/workflows/java-ea.yml
+++ b/.github/workflows/java-ea.yml
@@ -11,6 +11,9 @@ env:
     -B -V --no-transfer-progress
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   test_jdkea:
     name: Linux (OpenJDK EA)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index d66b2b5d7f7..1f87c096836 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -7,6 +7,9 @@ env:
     -B -V --no-transfer-progress
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   test_jdk:
     name: Linux (JDK ${{ matrix.java }})
diff --git a/.github/workflows/mariadb.yml b/.github/workflows/mariadb.yml
index 4393c5bf339..c29d1241621 100644
--- a/.github/workflows/mariadb.yml
+++ b/.github/workflows/mariadb.yml
@@ -13,6 +13,9 @@ env:
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
 # We explicitly don't use a container for running the job since there is some connectivity issues to MariaDB if that is done
+permissions:
+  contents: read
+
 jobs:
   test_mariadb:
     name: MariaDB ${{ matrix.mariadb }}
diff --git a/.github/workflows/mysql.yml b/.github/workflows/mysql.yml
index a2b0f6afdd4..6d8ae12ada7 100644
--- a/.github/workflows/mysql.yml
+++ b/.github/workflows/mysql.yml
@@ -13,6 +13,9 @@ env:
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
 # We explicitly don't use a container for running the job since there is some connectivity issues to MySQL if that is done
+permissions:
+  contents: read
+
 jobs:
   test_mysql:
     name: MySQL ${{ matrix.mysql }}
diff --git a/.github/workflows/oracle.yml b/.github/workflows/oracle.yml
index 017b07abbb5..fe63c84802e 100644
--- a/.github/workflows/oracle.yml
+++ b/.github/workflows/oracle.yml
@@ -11,6 +11,9 @@ env:
     -B -V --no-transfer-progress
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   test_oracle:
     name: Oracle ${{ matrix.oracle }}
diff --git a/.github/workflows/postgres.yml b/.github/workflows/postgres.yml
index a30a5e40517..3920d1c1dde 100644
--- a/.github/workflows/postgres.yml
+++ b/.github/workflows/postgres.yml
@@ -12,6 +12,9 @@ env:
     -B -V --no-transfer-progress
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   test_postgres:
     name: Postgres ${{ matrix.postgres }}
diff --git a/.github/workflows/sql-server.yml b/.github/workflows/sql-server.yml
index b7b291fde86..b96765f3131 100644
--- a/.github/workflows/sql-server.yml
+++ b/.github/workflows/sql-server.yml
@@ -12,6 +12,9 @@ env:
     -B -V --no-transfer-progress
     -Dhttp.keepAlive=false -Dmaven.wagon.http.pool=false -Dmaven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   test_mssql:
     name: SQL Server ${{ matrix.mssql }}
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 50e881dcf50..b0018fdd915 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -7,6 +7,9 @@ env:
     -B -V --no-transfer-progress
     -D http.keepAlive=false -D maven.wagon.http.pool=false -D maven.wagon.httpconnectionManager.ttlSeconds=120
 
+permissions:
+  contents: read
+
 jobs:
   windows:
     name: 'Windows'