Skip to content

Commit c0218ea

Browse files
pendo324pendo324
authored
ci: add permissions blocks to every workflow and job (runfinch#1539)
Signed-off-by: Justin Alvarez <alvajus@amazon.com>
1 parent deb3877 commit c0218ea

File tree

7 files changed

+114
-0
lines changed

7 files changed

+114
-0
lines changed

.github/workflows/build-and-test-pkg.yaml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,19 @@ on:
1818
env:
1919
GO111MODULE: on
2020

21+
permissions:
22+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
23+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
24+
id-token: write
25+
# This is required for actions/checkout
26+
contents: read
27+
2128
jobs:
2229
get-tag-name:
2330
name: Get tag name
2431
runs-on: ubuntu-latest
32+
permissions:
33+
contents: read
2534
timeout-minutes: 2
2635
outputs:
2736
tag: ${{ steps.check-tag.outputs.tag }}
@@ -53,6 +62,12 @@ jobs:
5362
macos-aarch64-pkg-build:
5463
needs: get-tag-name
5564
uses: ./.github/workflows/build-pkg.yaml
65+
permissions:
66+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
67+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
68+
id-token: write
69+
# This is required for actions/checkout
70+
contents: read
5671
secrets: inherit
5772
with:
5873
os: macos
@@ -65,6 +80,12 @@ jobs:
6580
macos-x86-64-pkg-build:
6681
needs: get-tag-name
6782
uses: ./.github/workflows/build-pkg.yaml
83+
permissions:
84+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
85+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
86+
id-token: write
87+
# This is required for actions/checkout
88+
contents: read
6889
secrets: inherit
6990
with:
7091
os: macos
@@ -83,6 +104,12 @@ jobs:
83104
- get-tag-name
84105
- macos-aarch64-pkg-build
85106
uses: ./.github/workflows/test-pkg.yaml
107+
permissions:
108+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
109+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
110+
id-token: write
111+
# This is required for actions/checkout
112+
contents: read
86113
secrets: inherit
87114
with:
88115
os: macos
@@ -101,6 +128,12 @@ jobs:
101128
- get-tag-name
102129
- macos-x86-64-pkg-build
103130
uses: ./.github/workflows/test-pkg.yaml
131+
permissions:
132+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
133+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
134+
id-token: write
135+
# This is required for actions/checkout
136+
contents: read
104137
secrets: inherit
105138
with:
106139
os: macos

.github/workflows/ci-docs.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -40,9 +40,14 @@ on:
4040
- '!.github/workflows/e2e-windows.yaml'
4141
- '!.github/workflows/e2e-linux.yaml'
4242

43+
permissions:
44+
contents: read
45+
4346
jobs:
4447
git-secrets:
4548
runs-on: ubuntu-latest
49+
permissions:
50+
contents: read
4651
timeout-minutes: 2
4752
steps:
4853
- name: Pull latest awslabs/git-secrets repo
@@ -66,6 +71,8 @@ jobs:
6671
matrix:
6772
os: [macos-latest, windows-latest]
6873
runs-on: ${{ matrix.os }}
74+
permissions:
75+
contents: read
6976
timeout-minutes: 2
7077
steps:
7178
- run: echo "Skipping CI for docs & contrib files"
@@ -74,23 +81,31 @@ jobs:
7481
matrix:
7582
os: [macos-latest, windows-latest]
7683
runs-on: ${{ matrix.os }}
84+
permissions:
85+
contents: read
7786
timeout-minutes: 2
7887
steps:
7988
- run: echo "Skipping CI for docs & contrib files"
8089
go-linter:
8190
name: lint
8291
runs-on: ubuntu-latest
92+
permissions:
93+
contents: read
8394
timeout-minutes: 2
8495
steps:
8596
- run: echo "Skipping CI for docs & contrib files"
8697
go-mod-tidy-check:
8798
runs-on: ubuntu-latest
8899
timeout-minutes: 2
100+
permissions:
101+
contents: read
89102
steps:
90103
- run: echo "Skipping CI for docs & contrib files"
91104
check-licenses:
92105
runs-on: ubuntu-latest
93106
timeout-minutes: 2
107+
permissions:
108+
contents: read
94109
steps:
95110
- run: echo "Skipping CI for docs & contrib files"
96111
macos-e2e-tests:
@@ -101,13 +116,17 @@ jobs:
101116
arch: ['X64', 'arm64']
102117
runner-type: ['test']
103118
uses: ./.github/workflows/e2e-docs.yaml
119+
permissions:
120+
contents: read
104121
windows-e2e-tests:
105122
strategy:
106123
matrix:
107124
test-command: ['test-e2e-vm-serial', 'test-e2e-container']
108125
arch: ['amd64']
109126
runner-type: ['test']
110127
uses: ./.github/workflows/e2e-docs.yaml
128+
permissions:
129+
contents: read
111130
linux-e2e-tests:
112131
strategy:
113132
matrix:
@@ -116,8 +135,12 @@ jobs:
116135
version: ['2023', '2']
117136
runner-type: ['test']
118137
uses: ./.github/workflows/e2e-docs.yaml
138+
permissions:
139+
contents: read
119140
mdlint:
120141
runs-on: ubuntu-latest
142+
permissions:
143+
contents: read
121144
timeout-minutes: 2
122145
steps:
123146
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

.github/workflows/e2e-ubuntu.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,10 +13,16 @@ env:
1313
GO111MODULE: on
1414
GO_VERSION: '1.24.6'
1515

16+
permissions:
17+
id-token: write # used when getting AWS credentials
18+
contents: read
19+
1620
jobs:
1721
get-latest-tag:
1822
name: Get the latest release tag
1923
runs-on: ubuntu-latest
24+
permissions:
25+
contents: read
2026
timeout-minutes: 2
2127
outputs:
2228
tag: ${{ steps.latest-tag.outputs.tag }}
@@ -32,6 +38,8 @@ jobs:
3238
needs: get-latest-tag
3339
name: Get tag name
3440
runs-on: ubuntu-latest
41+
permissions:
42+
contents: read
3543
timeout-minutes: 2
3644
outputs:
3745
tag: ${{ steps.check-tag.outputs.tag }}
@@ -59,6 +67,9 @@ jobs:
5967
e2e-test:
6068
needs: get-tag-and-version
6169
runs-on: codebuild-finch-${{ inputs.arch }}-1-instance-${{ github.run_id }}-${{ github.run_attempt }}
70+
permissions:
71+
id-token: write # used when getting AWS credentials
72+
contents: read
6273
timeout-minutes: 60
6374
outputs:
6475
has_creds: ${{ steps.vars.outputs.has_creds}}

.github/workflows/go-version-protection.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,17 @@ on:
1111
paths:
1212
- 'go.mod'
1313
- '.github/workflows/go-version-protection.yaml'
14+
permissions:
15+
id-token: write # used when getting AWS credentials
16+
contents: write # used to create a release and upload files to a release
17+
pull-requests: write # used to update the pull request
1418

1519
jobs:
1620
prevent-go-version-minor-major-version-updates:
1721
runs-on: ubuntu-latest
22+
permissions:
23+
contents: read
24+
pull-requests: write
1825
steps:
1926
- name: Checkout code
2027
uses: actions/checkout@v5

.github/workflows/lint-pr-title.yaml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,10 +9,15 @@ on:
99
- reopened
1010
- synchronize
1111

12+
permissions: read-all
13+
1214
jobs:
1315
main:
1416
name: conventional-commit
1517
runs-on: ubuntu-latest
18+
permissions:
19+
contents: read
20+
pull-requests: write
1621
timeout-minutes: 1
1722
steps:
1823
- uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1

.github/workflows/release-automation.yaml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ jobs:
77
get-latest-tag:
88
name: Get the latest release tag
99
runs-on: ubuntu-latest
10+
permissions:
11+
contents: read
1012
timeout-minutes: 2
1113
outputs:
1214
tag: ${{ steps.latest-tag.outputs.tag }}
@@ -30,13 +32,23 @@ jobs:
3032
- get-latest-tag
3133
- build-and-test-finch-pkg
3234
uses: ./.github/workflows/upload-installer-to-release.yaml
35+
permissions:
36+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
37+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
38+
id-token: write
39+
contents: write # this is used to upload to the release
3340
secrets: inherit
3441
with:
3542
ref_name: ${{ needs.get-latest-tag.outputs.tag }}
3643

3744
build-and-test-finch-msi:
3845
needs: get-latest-tag
3946
uses: ./.github/workflows/build-and-test-msi.yaml
47+
permissions:
48+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
49+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
50+
id-token: write
51+
contents: read # this is required for actions/checkout
4052
secrets: inherit
4153
with:
4254
ref_name: ${{ needs.get-latest-tag.outputs.tag }}
@@ -46,13 +58,23 @@ jobs:
4658
- get-latest-tag
4759
- build-and-test-finch-msi
4860
uses: ./.github/workflows/upload-msi-to-release.yaml
61+
permissions:
62+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
63+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
64+
id-token: write
65+
contents: read # this is required for actions/checkout
4966
secrets: inherit
5067
with:
5168
ref_name: ${{ needs.get-latest-tag.outputs.tag }}
5269

5370
build-and-test-finch-deb:
5471
needs: get-latest-tag
5572
uses: ./.github/workflows/build-and-test-deb.yaml
73+
permissions:
74+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
75+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
76+
id-token: write
77+
contents: read # this is required for actions/checkout
5678
secrets: inherit
5779
with:
5880
ref_name: ${{ needs.get-latest-tag.outputs.tag }}
@@ -62,6 +84,11 @@ jobs:
6284
- get-latest-tag
6385
- build-and-test-finch-deb
6486
uses: ./.github/workflows/upload-deb-to-release.yaml
87+
permissions:
88+
# This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
89+
# More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
90+
id-token: write
91+
contents: write # this is required for uploading the release assets
6592
secrets: inherit
6693
with:
6794
ref_name: ${{ needs.get-latest-tag.outputs.tag }}

.github/workflows/release-please.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,17 @@ on:
44
branches:
55
- main
66
name: release-please
7+
8+
permissions:
9+
contents: read
10+
pull-requests: write
11+
712
jobs:
813
release-please:
914
runs-on: ubuntu-latest
15+
permissions:
16+
contents: read
17+
pull-requests: write
1018
timeout-minutes: 2
1119
outputs:
1220
release_created: ${{ steps.release.outputs.release_created }}

0 commit comments

Comments
 (0)