@ahus1 @mhajas whenever you have some time, could you please review the changes in the Aurora workflow? I just want to ensure that this won't be broken.

@keycloak/cloud-native whenever you have the time could you please review the quarkus next workflow?

@abstractj - this should be fine for the Aurora DB flow. Please proceed.

FYI: This steps will run only on the release branches and in main due to the secrets that they use.

I would get rid of the permissions: contents: read part. Fix the issue labeller permission that is wrong, then we can merge this PR, and afterwards enable the Read repository contents and packages permissions setting for the repo as the default.

We also need to update active release branches for this to work.

Should we not instead change the default workflow permissions for the repository to Read repository contents and packages permissions and only set additional permissions that is required?

Seems permissions: contents: read addition to all workflows is not needed really.

@stianst I totally get what you mention, but this is based on the recommendations from https://github.com/ossf/scorecard/blob/e3441f48c371470aa9d46aaaed343a74be31f54b/docs/checks.md#token-permissions. I do not disagree on what you say.

In summary:
"The highest score is awarded when the permissions definitions in each workflow's yaml file are set as read-only at the top level and the required write permissions are declared at the run-level."

The argument is: "The check cannot detect if the "read-only" GitHub permission setting is enabled, as there is no API available."

The consequence of not doing it, is the fact that both scorecard and clomonitor.io will report inaccurate report on Token permissions.

As soon as we agree on the changes here, I can submit a pull-request to other branches.

@stianst I had the chance to speak with people on scorecard, and the another solution is to put at the top permissions: {}. Honestly, I'd go with permissions: read and call it a day.

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.AppInitiatedActionWebAuthnTest#proceedSetupWebAuthnLogoutOtherSessionsChecked

Keycloak CI - WebAuthn IT (chrome)

java.lang.RuntimeException: Could not create statement
	at org.jboss.arquillian.junit.Arquillian.methodBlock(Arquillian.java:307)
	at org.junit.runners.BlockJUnit4ClassRunner$1.evaluate(BlockJUnit4ClassRunner.java:100)
	at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:366)
	at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:103)
...

Report flaky test

Okay, let's go with the default permissions on the top of workflows, we can always in addition enable this enforcement on the repo/org level as a separate thing.

@jonkoops @stianst first, thank you so much for your time reviewing it. It took me 30 min to mimic the environment, based on what you mentioned.

1. Successful experiment based on what you suggest is here:

• [Snyk] Upgrade com.sun.xml.ws:rt from 4.0.0 to 4.0.3 keycloak-poc/keycloak#8
• Bump the npm-dependencies group across 1 directory with 14 updates keycloak-poc/keycloak#9
• https://github.com/keycloak-poc/keycloak/actions/runs/13788000059

2. Failures based on my original proposal

• Bump the actions-dependencies group with 2 updates keycloak-poc/keycloak#1
• [Snyk] Upgrade org.apache.santuario:xmlsec from 2.2.6 to 2.3.5 keycloak-poc/keycloak#7
• https://github.com/keycloak-poc/keycloak/actions/runs/13787873120

I think this is the last piece of the puzzle.

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.AppInitiatedActionWebAuthnTest#proceedSetupWebAuthnLogoutOtherSessionsChecked

Keycloak CI - WebAuthn IT (chrome)

java.lang.AssertionError: Event expected
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertNotNull(Assert.java:713)
	at org.keycloak.testsuite.AssertEvents.poll(AssertEvents.java:95)
...

Report flaky test

org.keycloak.testsuite.webauthn.passwordless.AppInitiatedActionPwdLessTest#proceedSetupWebAuthnLogoutOtherSessionsChecked

Keycloak CI - WebAuthn IT (chrome)

java.lang.AssertionError: Event expected
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertNotNull(Assert.java:713)
	at org.keycloak.testsuite.AssertEvents.poll(AssertEvents.java:95)
...

Report flaky test

org.keycloak.testsuite.webauthn.passwordless.AppInitiatedActionPwdLessTest#proceedSetupWebAuthnLogoutOtherSessionsNotChecked

Keycloak CI - WebAuthn IT (chrome)

java.lang.AssertionError: Event expected
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertNotNull(Assert.java:713)
	at org.keycloak.testsuite.AssertEvents.poll(AssertEvents.java:95)
...

Report flaky test

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.webauthn.passwordless.AppInitiatedActionPwdLessTest#cancelSetupWebAuthn

Keycloak CI - WebAuthn IT (chrome)

java.lang.AssertionError: Event expected
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.junit.Assert.assertNotNull(Assert.java:713)
	at org.keycloak.testsuite.AssertEvents.poll(AssertEvents.java:95)
...

Report flaky test