From aacf1fc3d6ece6c2b60ea155f747cc6bc2bd2107 Mon Sep 17 00:00:00 2001 From: Emilien Escalle Date: Thu, 14 May 2026 09:33:40 +0200 Subject: [PATCH] ci: improve scoped permissions Signed-off-by: Emilien Escalle --- .github/workflows/__main-ci.yml | 2 +- .github/workflows/__pull-request-ci.yml | 6 +- .github/workflows/__shared-ci.yml | 63 ++++++++++++++++--- ...-docker-prune-pull-requests-image-tags.yml | 13 ++-- .../__test-action-helm-test-chart.yml | 15 +++-- ...-workflow-docker-build-images-building.yml | 19 +++--- ...t-workflow-docker-build-images-caching.yml | 21 +++++-- ...low-docker-build-images-multi-registry.yml | 15 +++-- ...ker-build-images-platforms-and-signing.yml | 15 +++-- 9 files changed, 115 insertions(+), 54 deletions(-) diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml index 2f88c197..f1e59ad1 100644 --- a/.github/workflows/__main-ci.yml +++ b/.github/workflows/__main-ci.yml @@ -23,12 +23,12 @@ jobs: permissions: actions: read contents: read + id-token: write issues: read packages: write pull-requests: read security-events: write statuses: write - id-token: write secrets: inherit clean: diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml index 98f811ec..7c318a62 100644 --- a/.github/workflows/__pull-request-ci.yml +++ b/.github/workflows/__pull-request-ci.yml @@ -17,11 +17,11 @@ jobs: uses: ./.github/workflows/__shared-ci.yml permissions: actions: read - contents: write + contents: read + id-token: write issues: read packages: write - pull-requests: write + pull-requests: read security-events: write statuses: write - id-token: write secrets: inherit diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml index 36fb6a33..e6085145 100644 --- a/.github/workflows/__shared-ci.yml +++ b/.github/workflows/__shared-ci.yml @@ -4,69 +4,114 @@ name: Internal - Common Continuous Integration tasks on: # yamllint disable-line rule:truthy workflow_call: -permissions: - actions: read - contents: read - issues: read - packages: write - pull-requests: read - security-events: write - statuses: write - id-token: write +permissions: {} jobs: linter: uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0 + permissions: + actions: read + contents: read + security-events: write + statuses: write test-action-docker-build-image: needs: linter uses: ./.github/workflows/__test-action-docker-build-image.yml + permissions: + contents: read + packages: write test-action-docker-prune-pull-requests-package-version: needs: linter # yamllint disable-line rule:line-length uses: ./.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read test-action-get-image-metadata: needs: linter uses: ./.github/workflows/__test-action-get-image-metadata.yml + permissions: + contents: read test-action-action-get-image-name: needs: linter uses: ./.github/workflows/__test-action-get-image-name.yml + permissions: + contents: read test-action-helm-parse-chart-uri: needs: linter uses: ./.github/workflows/__test-action-helm-parse-chart-uri.yml + permissions: + contents: read test-action-helm-release-chart: needs: linter uses: ./.github/workflows/__test-action-helm-release-chart.yml + permissions: + contents: read + packages: write test-action-helm-test-chart: needs: linter uses: ./.github/workflows/__test-action-helm-test-chart.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read test-workflow-docker-build-images-building: name: Test docker build images - Building needs: linter uses: ./.github/workflows/__test-workflow-docker-build-images-building.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: inherit test-workflow-docker-build-images-caching: name: Test docker build images - Caching needs: linter uses: ./.github/workflows/__test-workflow-docker-build-images-caching.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: inherit test-workflow-docker-build-images-multi-registry: name: Test docker build images - Multi registry inputs needs: linter uses: ./.github/workflows/__test-workflow-docker-build-images-multi-registry.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: inherit test-workflow-docker-build-images-platforms-and-signing: name: Test docker build images - Platforms and Signing needs: linter uses: ./.github/workflows/__test-workflow-docker-build-images-platforms-and-signing.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: inherit diff --git a/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml b/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml index 780531cd..c9859211 100644 --- a/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml +++ b/.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml @@ -5,12 +5,7 @@ run-name: Test for "docker/prune-pull-requests-image-tags" action on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - issues: read - packages: write - pull-requests: read - id-token: write +permissions: {} env: IMAGE_NAME: "test-prune-${{ github.run_number }}" @@ -73,6 +68,12 @@ jobs: name: Arrange - Build images needs: arrange-prepare-variables uses: ./.github/workflows/docker-build-images.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: oci-registry-password: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/__test-action-helm-test-chart.yml b/.github/workflows/__test-action-helm-test-chart.yml index d3fd2c6b..0bdb6b18 100644 --- a/.github/workflows/__test-action-helm-test-chart.yml +++ b/.github/workflows/__test-action-helm-test-chart.yml @@ -5,16 +5,17 @@ run-name: Test for "helm/test-chart" action on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - issues: read - packages: write - pull-requests: read - id-token: write +permissions: {} jobs: build-test-images: uses: ./.github/workflows/docker-build-images.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: oci-registry-password: ${{ secrets.GITHUB_TOKEN }} with: @@ -34,6 +35,8 @@ jobs: name: Test for "helm/test-chart" action needs: build-test-images runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/__test-workflow-docker-build-images-building.yml b/.github/workflows/__test-workflow-docker-build-images-building.yml index 6d985291..e7fa3f8f 100644 --- a/.github/workflows/__test-workflow-docker-build-images-building.yml +++ b/.github/workflows/__test-workflow-docker-build-images-building.yml @@ -5,18 +5,19 @@ run-name: Test for "docker-build-images" workflow - Building on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - issues: read - packages: write - pull-requests: read - id-token: write +permissions: {} # jscpd:ignore-start jobs: act-build-images-args-secrets: name: Arrange - Build with args, secrets uses: ./.github/workflows/docker-build-images.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: oci-registry-password: ${{ secrets.GITHUB_TOKEN }} build-secrets: | @@ -82,9 +83,5 @@ jobs: for (const image of expectedCreatedImages) { assert(builtImages[image], `"built-images" output does not contain "${image}" image`); } - - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ github.token }} + # jscpd:ignore-end diff --git a/.github/workflows/__test-workflow-docker-build-images-caching.yml b/.github/workflows/__test-workflow-docker-build-images-caching.yml index c215a2fd..07c3eea7 100644 --- a/.github/workflows/__test-workflow-docker-build-images-caching.yml +++ b/.github/workflows/__test-workflow-docker-build-images-caching.yml @@ -5,12 +5,7 @@ run-name: Test for "docker-build-images" workflow - Caching on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - issues: read - packages: write - pull-requests: read - id-token: write +permissions: {} # jscpd:ignore-start jobs: @@ -65,6 +60,12 @@ jobs: name: Act - Build images - registry cache needs: arrange uses: ./.github/workflows/docker-build-images.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: oci-registry-password: ${{ secrets.GITHUB_TOKEN }} build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }} @@ -95,6 +96,12 @@ jobs: name: Act - Build images - gha cache needs: arrange uses: ./.github/workflows/docker-build-images.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: oci-registry-password: ${{ secrets.GITHUB_TOKEN }} build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }} @@ -128,6 +135,8 @@ jobs: strategy: fail-fast: false matrix: ${{ fromJson(needs.arrange.outputs.matrix) }} + permissions: + packages: read steps: - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 diff --git a/.github/workflows/__test-workflow-docker-build-images-multi-registry.yml b/.github/workflows/__test-workflow-docker-build-images-multi-registry.yml index afc89743..74cb9566 100644 --- a/.github/workflows/__test-workflow-docker-build-images-multi-registry.yml +++ b/.github/workflows/__test-workflow-docker-build-images-multi-registry.yml @@ -5,17 +5,18 @@ run-name: Test for "docker-build-images" workflow - Multi registry inputs on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - issues: read - packages: write - pull-requests: read - id-token: write +permissions: {} jobs: act-build-images-multi-registry: name: Act - Build images with structured registry inputs uses: ./.github/workflows/docker-build-images.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: oci-registry-password: | {"push":"${{ secrets.GITHUB_TOKEN }}","pull:private":"${{ secrets.GITHUB_TOKEN }}"} @@ -43,6 +44,8 @@ jobs: name: Assert - Build images with structured registry inputs needs: act-build-images-multi-registry runs-on: ubuntu-latest + permissions: + packages: read steps: - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 diff --git a/.github/workflows/__test-workflow-docker-build-images-platforms-and-signing.yml b/.github/workflows/__test-workflow-docker-build-images-platforms-and-signing.yml index 119848d0..f10b85a9 100644 --- a/.github/workflows/__test-workflow-docker-build-images-platforms-and-signing.yml +++ b/.github/workflows/__test-workflow-docker-build-images-platforms-and-signing.yml @@ -5,12 +5,7 @@ run-name: Test for "docker-build-images" workflow - Platforms and Signing on: # yamllint disable-line rule:truthy workflow_call: -permissions: - contents: read - issues: read - packages: write - pull-requests: read - id-token: write +permissions: {} # jscpd:ignore-start jobs: @@ -91,6 +86,12 @@ jobs: fail-fast: false matrix: ${{ fromJson(needs.arrange.outputs.matrix) }} uses: ./.github/workflows/docker-build-images.yml + permissions: + contents: read + id-token: write + issues: read + packages: write + pull-requests: read secrets: oci-registry-password: ${{ secrets.GITHUB_TOKEN }} build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }} @@ -116,6 +117,8 @@ jobs: strategy: fail-fast: false matrix: ${{ fromJson(needs.arrange.outputs.matrix) }} + permissions: + packages: read steps: - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0