From e2c168eb2b3f791e19e41e74d4ecd1864911cc6b Mon Sep 17 00:00:00 2001
From: Yiannis <yiannis@weave.works>
Date: Mon, 2 Oct 2023 18:26:59 +0100
Subject: [PATCH] ci: Drop workflow permissions

---
 .github/workflows/chart.yaml           | 6 +++---
 .github/workflows/docs.yaml            | 4 +++-
 .github/workflows/pr.yaml              | 3 +++
 .github/workflows/prepare-release.yaml | 3 +++
 .github/workflows/release.yaml         | 9 ++++++++-
 5 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/chart.yaml b/.github/workflows/chart.yaml
index 1a9250aea0..ea702b0e75 100644
--- a/.github/workflows/chart.yaml
+++ b/.github/workflows/chart.yaml
@@ -18,9 +18,7 @@ env:
   CHART_LOCATION: weaveworks/charts
 
 permissions:
-  contents: write
-  id-token: write
-  packages: write
+  contents: read # for actions/checkout to fetch code
 
 jobs:
   helm-new-version:
@@ -80,6 +78,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: helm-new-version
     if: (github.event_name == 'push' && needs.helm-new-version.outputs.old-version != needs.helm-new-version.outputs.new-version) || github.event_name == 'workflow_dispatch'
+    permissions:
+      packages: write # needed for ghcr access
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       - name: Find new version
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
index 269f8bb1fc..8f9248a46a 100644
--- a/.github/workflows/docs.yaml
+++ b/.github/workflows/docs.yaml
@@ -13,8 +13,10 @@ on:
       - 'website/**'
   workflow_dispatch:
 
-jobs:
+permissions:
+  contents: read # for actions/checkout to fetch code
 
+jobs:
   staging-release:
     permissions:
       statuses: write
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 59dcfd4383..329c541436 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -7,6 +7,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 env:
   CI_CONTAINER_REGISTRY: europe-west1-docker.pkg.dev
   CI_CONTAINER_REPOSITORY: europe-west1-docker.pkg.dev/weave-gitops-clusters/weave-gitops
diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml
index 4f33adc758..3982049e4c 100644
--- a/.github/workflows/prepare-release.yaml
+++ b/.github/workflows/prepare-release.yaml
@@ -7,6 +7,9 @@ on:
         description: "Version (e.g. 'v1.2.3-rc.4')"
         required: true
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+  pull-requests: read # for mikepenz/release-changelog-builder-action to create changelog
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: weaveworks/wego-app
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 31aba74b06..a1a3e8fccb 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -5,6 +5,9 @@ on:
     types:
       - submitted
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: weaveworks/wego-app
@@ -15,6 +18,8 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       version: ${{ steps.release-version.outputs.version }}
+    permissions:
+      contents: write # for action to git push a tag
     steps:
       - name: Checkout
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -37,6 +42,8 @@ jobs:
   publish_npm_package:
     needs: tag-release
     runs-on: ubuntu-latest
+    permissions:
+      packages: write # needed for GitHub Packages registry access
     steps:
       - name: Checkout
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -51,11 +58,11 @@ jobs:
       - run: make ui-lib && cd dist && npm publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   build-and-push-image:
     needs: tag-release
     runs-on: ubuntu-latest
     permissions:
-      contents: read
       packages: write
     steps:
       - name: Checkout