ci: limit token permissions (#1464)

## Proposed change The goal of this PR is to provide the minimum token permissions in our workflows ## Related issues - 🐛 Fixes #(issue) - 🚀 Feature #(issue)
AmadeusITGroup · Mar 12, 2024 · 79cc177 · 79cc177
2 parents 074e261 + c9919f3
commit 79cc177
Show file tree

Hide file tree

Showing 12 changed files with 42 additions and 6 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -17,6 +17,9 @@ on:
   merge_group:
     types: [checks_requested]
 
+permissions:
+  contents: read
+
 jobs:
   audit:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/clean-cache.yml b/.github/workflows/clean-cache.yml
@@ -10,10 +10,14 @@ on:
     branches:
       - '**'
 
+permissions:
+  contents: read
+
 jobs:
   clean-cache:
     runs-on: ubuntu-latest
     permissions:
+      # Needed to delete cache from action
       actions: write
       contents: read
     steps:

diff --git a/.github/workflows/code-check.yml b/.github/workflows/code-check.yml
@@ -21,6 +21,9 @@ on:
 env:
   NX_SKIP_NX_CACHE: ${{ inputs.skipNxCache }}
 
+permissions:
+  contents: read
+
 jobs:
   markdown-link-check:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -26,6 +26,9 @@ on:
   schedule:
     - cron: '31 2 * * 6'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
@@ -1,5 +1,8 @@
 name: Build and deploy documentation
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:

diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml
@@ -16,6 +16,9 @@ on:
 env:
   NX_SKIP_NX_CACHE: ${{ inputs.skipNxCache }}
 
+permissions:
+  contents: read
+
 jobs:
   e2e-tests:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/it-tests.yml b/.github/workflows/it-tests.yml
@@ -16,6 +16,9 @@ on:
 env:
   NX_SKIP_NX_CACHE: ${{ inputs.skipNxCache }}
 
+permissions:
+  contents: read
+
 jobs:
   prepare-verdaccio:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ci-${{ github.ref }}-main
   cancel-in-progress: ${{ github.event_name == 'pull_request' }}
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -34,6 +37,7 @@ jobs:
 
   version:
     permissions:
+      # Needed to publish release on GitHub
       contents: write
     runs-on: ubuntu-latest
     outputs:
@@ -84,8 +88,8 @@ jobs:
     uses: ./.github/workflows/publish.yml
     if: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }}
     permissions:
-      packages: write
       contents: read
+      # Needed to publish with provenance
       id-token: write
     secrets: inherit
     needs: [version, build, checks, it-tests]

diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml
@@ -2,6 +2,9 @@ name: Pull Request Label
 
 on: pull_request
 
+permissions:
+  contents: read
+
 jobs:
   setup-label:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/publish-pr.yml b/.github/workflows/publish-pr.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   version:
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
@@ -35,8 +38,8 @@ jobs:
     uses: ./.github/workflows/publish.yml
     needs: [version]
     permissions:
-      packages: write
       contents: read
+      # Needed to publish with provenance (not needed for pull-request but requested by publish.yml workflow)
       id-token: write
     secrets: inherit
     with:
@@ -50,6 +53,7 @@ jobs:
     needs: [publish-packages-pr]
     if: success() || failure()
     permissions:
+      # Needed to notify the parent workflow
       checks: write
     steps:
       - name: Update triggering workflow

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -49,15 +49,18 @@ on:
 env:
   NX_SKIP_NX_CACHE: ${{ inputs.skipNxCache }}
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     env:
       NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
     environment: ${{inputs.isPullRequest && 'development' || 'production'}}
     permissions:
-      packages: write
       contents: read
+      # Needed to publish with provenance
       id-token: write
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -120,9 +123,6 @@ jobs:
   publish-extensions:
     runs-on: ubuntu-latest
     environment: ${{inputs.isPullRequest && 'development' || 'production'}}
-    permissions:
-      packages: write
-      contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:

diff --git a/.github/workflows/tests-reporter.yml b/.github/workflows/tests-reporter.yml
@@ -6,6 +6,9 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   publish-ut-reports:
     runs-on: ubuntu-latest