Merge pull request #589 from vmware/fix-workflow-permissions

Add permissions to Github Workflows
vmware · Jan 10, 2025 · fa8c4d5 · fa8c4d5
2 parents 6c10af5 + 96473d9
commit fa8c4d5
Show file tree

Hide file tree

Showing 6 changed files with 15 additions and 98 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,6 +7,10 @@ on:
       - "main" # trigger the workflow for main branch
   workflow_dispatch:
 
+permissions:
+  actions: write
+  contents: write
+
 jobs:
   build:
     strategy:

diff --git a/.github/workflows/codeql-java.yml b/.github/workflows/codeql-java.yml
diff --git a/.github/workflows/codeql-js.yml b/.github/workflows/codeql-js.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,9 @@ jobs:
   release:
     if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      contents: write
     steps:
 
       - name: Validate actor permissions

diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -3,10 +3,16 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   super-linter:
     name: Lint all code
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+      statuses: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -9,6 +9,8 @@ jobs:
   build:
     name: Run vulnerability scan
     runs-on: ubuntu-22.04
+    permissions:
+      contents: write
     env:
       TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
       TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db