BC-2889 limit github action permissions (#2346)

hpi-schul-cloud · Dec 22, 2022 · 9f6c8ed · 9f6c8ed
1 parent d62a26c
commit 9f6c8ed
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 1 deletion.
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -6,9 +6,14 @@ on:
     branches-ignore:
       - dependabot/**
 
+permissions:
+  contents: read
+
 jobs:
   build_and_push_nuxt:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     strategy:
       matrix:
         tennens: [default, brb, int, n21, thr]
@@ -105,9 +110,13 @@ jobs:
       - build_and_push_nuxt
       - branch_name
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     steps:
       - name: run trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@d63413b0a4a4482237085319f7f4a1ce99a8f2ac
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
         with:
           image-ref: "ghcr.io/${{ github.repository }}-default:${{ github.sha }}"
           format: "sarif"

diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -6,6 +6,9 @@ on:
       - "package.json"
       - "package-lock.json"
 
+permissions:
+  contents: read
+
 jobs:
   PROD:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -9,6 +9,9 @@ on:
 jobs:
   build_and_push_nuxt:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     strategy:
       matrix:
         tennens: [default, brb, int, n21, thr ]

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -2,6 +2,9 @@ name: Test code
 
 on: [push]
 
+permissions:
+  contents: read
+
 env:
   node: 16
 jobs:

diff --git a/.github/workflows/test_unstable_e2e.yml b/.github/workflows/test_unstable_e2e.yml
@@ -9,6 +9,9 @@ on:
     label:
       name: 'run unstable tests'
 
+permissions:
+  contents: read
+
 jobs:
   end-to-end-unstable-tests:
     runs-on: ubuntu-latest