Skip to content

Commit 21c903e

Browse files
abstractjabstractj
authored
Ensure that the project’s automated workflows tokens are set to read-only by default (#37643)
Signed-off-by: Bruno Oliveira da Silva <[email protected]> Closes #33544
1 parent 7aa5130 commit 21c903e

File tree

13 files changed

+60
-8
lines changed

13 files changed

+60
-8
lines changed

.github/workflows/aurora-delete.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
type: string
1313
required: true
1414

15+
permissions:
16+
contents: read
17+
1518
jobs:
1619
delete:
1720
name: Delete Aurora DB

.github/workflows/ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ defaults:
2222
run:
2323
shell: bash
2424

25+
permissions:
26+
contents: read
27+
2528
jobs:
2629

2730
conditional:

.github/workflows/codeql-analysis.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,10 @@ defaults:
2222
run:
2323
shell: bash
2424

25-
jobs:
25+
permissions:
26+
contents: read
2627

28+
jobs:
2729
conditional:
2830
name: Check conditional workflows and jobs
2931
runs-on: ubuntu-latest
@@ -43,6 +45,8 @@ jobs:
4345
name: CodeQL Java
4446
needs: conditional
4547
runs-on: ubuntu-latest
48+
permissions:
49+
security-events: write # Required for SARIF upload
4650
if: needs.conditional.outputs.java == 'true'
4751
outputs:
4852
conclusion: ${{ steps.check.outputs.conclusion }}
@@ -69,6 +73,8 @@ jobs:
6973
name: CodeQL JavaScript
7074
needs: conditional
7175
runs-on: ubuntu-latest
76+
permissions:
77+
security-events: write # Required for SARIF upload
7278
if: needs.conditional.outputs.javascript == 'true'
7379
outputs:
7480
conclusion: ${{ steps.check.outputs.conclusion }}
@@ -94,6 +100,8 @@ jobs:
94100
name: CodeQL TypeScript
95101
needs: conditional
96102
runs-on: ubuntu-latest
103+
permissions:
104+
security-events: write # Required for SARIF upload
97105
if: needs.conditional.outputs.typescript == 'true'
98106
outputs:
99107
conclusion: ${{ steps.check.outputs.conclusion }}

.github/workflows/documentation.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@ defaults:
2121
run:
2222
shell: bash
2323

24+
permissions:
25+
contents: read
26+
2427
jobs:
2528

2629
conditional:

.github/workflows/guides.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,9 @@ defaults:
2121
run:
2222
shell: bash
2323

24+
permissions:
25+
contents: read
26+
2427
jobs:
2528

2629
conditional:

.github/workflows/js-ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,9 @@ defaults:
2222
run:
2323
shell: bash
2424

25+
permissions:
26+
contents: read
27+
2528
jobs:
2629
conditional:
2730
name: Check conditional workflows and jobs

.github/workflows/label.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -3,14 +3,15 @@ on:
33
pull_request_target:
44
types: closed
55

6+
permissions:
7+
contents: read
8+
69
jobs:
710
label:
811

912
runs-on: ubuntu-latest
1013
permissions:
11-
contents: read
12-
issues: write
13-
14+
issues: write # Required to add labels to Issues
1415
steps:
1516
- uses: actions/checkout@v4
1617
with:

.github/workflows/operator-ci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ concurrency:
2323
group: operator-ci-${{ github.ref }}
2424
cancel-in-progress: true
2525

26+
permissions:
27+
contents: read
28+
2629
jobs:
2730

2831
conditional:

.github/workflows/quarkus-next.yml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,16 @@ concurrency:
1414
group: quarkus-next-${{ github.ref }}
1515
cancel-in-progress: true
1616

17+
permissions:
18+
contents: read
19+
1720
jobs:
1821
update-quarkus-next-branch:
1922
name: Update quarkus-next branch
2023
if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
2124
runs-on: ubuntu-latest
22-
25+
permissions:
26+
contents: write # Required to push changes to the repository
2327
steps:
2428
- uses: actions/checkout@v4
2529
with:
@@ -42,6 +46,8 @@ jobs:
4246
run-matrix-with-quarkus-next:
4347
name: Run workflow matrix with the quarkus-next branch
4448
runs-on: ubuntu-latest
49+
permissions:
50+
actions: write # Required to trigger workflows using gh
4551
needs:
4652
- update-quarkus-next-branch
4753

.github/workflows/schedule-nightly.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,15 @@ on:
55
- cron: '0 0 * * *'
66
workflow_dispatch:
77

8-
jobs:
8+
permissions:
9+
contents: read
910

11+
jobs:
1012
setup:
1113
if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
1214
runs-on: ubuntu-latest
15+
permissions:
16+
actions: write # Required to trigger workflows using gh
1317
outputs:
1418
latest-release-branch: ${{ steps.latest-release.outputs.branch }}
1519
steps:
@@ -24,8 +28,9 @@ jobs:
2428
run-default-branch:
2529
name: Run default branch
2630
runs-on: ubuntu-latest
31+
permissions:
32+
actions: write # Required to trigger workflows using gh
2733
needs: setup
28-
2934
strategy:
3035
matrix:
3136
workflow:
@@ -47,7 +52,8 @@ jobs:
4752
name: Run latest release branch
4853
needs: setup
4954
runs-on: ubuntu-latest
50-
55+
permissions:
56+
actions: write # Required to trigger workflows using gh
5157
strategy:
5258
matrix:
5359
workflow:

0 commit comments

Comments
 (0)