Reduce permissions on workflows that run on PRs

Signed-off-by: Sunjay Bhatia <sunjayb@vmware.com>
projectcontour · Jan 11, 2024 · c019f24 · c019f24
1 parent 838bad4
commit c019f24
Show file tree

Hide file tree

Showing 5 changed files with 342 additions and 314 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -9,18 +9,20 @@ on:
   schedule:
     - cron: '0 10 * * 1'
 
+permissions:
+  contents: read
+
 env:
   GOPROXY: https://proxy.golang.org/
   GO_VERSION: 1.21.6
+
 jobs:
   CodeQL-Build:
-
     runs-on: ubuntu-latest
-
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        persist-credentials: false
     - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         # * Module download cache
@@ -31,21 +33,17 @@ jobs:
         key: ${{ runner.os }}-${{ github.job }}-go-${{ hashFiles('**/go.sum') }}
         restore-keys: |
           ${{ runner.os }}-${{ github.job }}-go-
-
     - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
       with:
         go-version: ${{ env.GO_VERSION }}
         cache: false
-
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
       with:
         languages: go
-
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     - name: Autobuild
       uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
-
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
diff --git a/.github/workflows/label_check.yaml b/.github/workflows/label_check.yaml
@@ -6,9 +6,13 @@ on:
     types: [opened, labeled, unlabeled, synchronize]
     branches: [main]
 
+permissions:
+  contents: read
+
 env:
   GOPROXY: https://proxy.golang.org/
   SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+
 jobs:
   # Ensures correct release-note labels are set:
   # - At least one label
@@ -20,28 +24,29 @@ jobs:
     name: Check release-note label set
     runs-on: ubuntu-latest
     steps:
-      - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0
-        with:
-          mode: minimum
-          count: 1
-          labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required"
-      - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0
-        with:
-          mode: maximum
-          count: 1
-          labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required"
-      - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0
-        with:
-          mode: maximum
-          count: 1
-          labels: "release-note/deprecation, release-note/none-required"
+    - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0
+      with:
+        mode: minimum
+        count: 1
+        labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/deprecation, release-note/none-required"
+    - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0
+      with:
+        mode: maximum
+        count: 1
+        labels: "release-note/major, release-note/minor, release-note/small, release-note/docs, release-note/infra, release-note/none-required"
+    - uses: mheap/github-action-required-labels@4e9ef4ce8c697cf55716ecbf7f13a3d9e0b6ac6a # v5.1.0
+      with:
+        mode: maximum
+        count: 1
+        labels: "release-note/deprecation, release-note/none-required"
   check-changelog:
     name: Check for changelog file
-    needs:
-      - check-label
+    needs: [check-label]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      with:
+        persist-credentials: false
     - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       with:
         # * Module download cache