Configure Github workflow and job level permissions (#1516)

* Configure Github workflow and job level permissions * fix update-golang diff failure * restrict packages permission in workflows
DataDog · Nov 8, 2024 · 795158e · 795158e
1 parent 6fc8bcf
commit 795158e
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -3,9 +3,16 @@ env:
   GO_VERSION: 1.22.7
 on:
   push:
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
 jobs:
   build-linux-binary:
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -27,6 +34,9 @@ jobs:
           args: build --skip=validate --config .goreleaser-for-linux.yaml
   build-darwin-binary:
     runs-on: macos-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -44,6 +54,9 @@ jobs:
           args: build --skip=validate --config .goreleaser-for-darwin.yaml
   build-windows-binary:
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
     steps:
       - uses: actions/checkout@v3
         with:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -7,6 +7,8 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ main ]
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,5 +1,9 @@
 name: validation
 on: [push, pull_request]
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
 env:
   PROJECTNAME: "datadog-operator"
   GO_VERSION: 1.22.7

diff --git a/.github/workflows/pr-linter.yml b/.github/workflows/pr-linter.yml
@@ -2,9 +2,15 @@ name: pull request linter
 on:
   pull_request_target:
    types: [opened, labeled, unlabeled, synchronize]
+
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@v1
@@ -17,6 +23,8 @@ jobs:
   check-milestone:
     name: Check Milestone
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - if: github.event.pull_request.milestone == null && !contains(toJson(github.event.pull_request.labels.*.name), 'qa/skip-qa')
         run: echo "::error::Missing milestone or \`qa/skip-qa\` label" && exit 1
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,12 +6,21 @@ on:
     tags:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "v[0-9]+.[0-9]+.[0-9]+-rc.[0-9]+"
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
 env:
   GO_VERSION: 1.22.7
 jobs:
   build-linux-binary:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
+      # actions/upload-artifact@v3
+      actions: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -51,6 +60,11 @@ jobs:
   build-darwin-binary:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: macos-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
+      # actions/upload-artifact@v3
+      actions: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -85,6 +99,11 @@ jobs:
   build-windows-binary:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      contents: write
+      # actions/upload-artifact@v3
+      actions: write
     steps:
       - uses: actions/checkout@v3
         with:
@@ -120,6 +139,14 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     needs: [build-linux-binary, build-darwin-binary, build-windows-binary]
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/marketplace/actions/goreleaser-action
+      # https://github.com/softprops/action-gh-release?tab=readme-ov-file#permissions 
+      contents: write
+      # actions/download-artifact@v3
+      actions: read
+      # rajatjindal/[email protected]
+      pull-requests: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3