diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml index f27cbbfbe7..fbf31180f2 100644 --- a/.github/workflows/dev-bump.yml +++ b/.github/workflows/dev-bump.yml @@ -3,10 +3,16 @@ on: push: tags: - '*' + +permissions: {} + jobs: bump: name: Bump to -dev runs-on: ubuntu-latest + permissions: + contents: write # to create and push to a branch + pull-requests: write # to read and create pull requests steps: - uses: actions/checkout@v6 with: @@ -77,6 +83,9 @@ jobs: mainbump: name: Bump on main runs-on: ubuntu-latest + permissions: + contents: write # to create and push to a branch + pull-requests: write # to read and create pull requests env: GH_TOKEN: ${{ github.token }} steps: diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml index 36b85d558f..37c752562e 100644 --- a/.github/workflows/first_contrib_cert_generator.yml +++ b/.github/workflows/first_contrib_cert_generator.yml @@ -16,11 +16,7 @@ on: description: 'The pull request number' required: true -# Permissions needed for this workflow. -permissions: - contents: read # Write access for certificate storage - pull-requests: write # Write access to comment on PRs - actions: read # Read access for workflow actions +permissions: {} jobs: screenshot_and_comment: @@ -28,6 +24,10 @@ jobs: # The logic for first-time contributors is handled in a dedicated step below. if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }} runs-on: ubuntu-latest + permissions: + contents: read # Write access for certificate storage + pull-requests: write # Write access to comment on PRs + actions: read # Read access for workflow actions steps: # Step 1: Check if this is the contributor's first merged PR. # This step is the source of truth and will control the execution of subsequent steps. diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 2ffe26e5a5..91fadab656 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,6 +3,8 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: {} + jobs: triage: permissions: diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml index 1376ded28d..3e91a3ae9a 100644 --- a/.github/workflows/mac-pkg.yml +++ b/.github/workflows/mac-pkg.yml @@ -15,12 +15,13 @@ on: - "true" # Must be quoted string, boolean value not supported. - "false" -permissions: - contents: write +permissions: {} jobs: build: runs-on: macos-latest + permissions: + contents: write env: APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }} CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }} diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml index c6455e898c..814288e256 100644 --- a/.github/workflows/machine-os-pr.yml +++ b/.github/workflows/machine-os-pr.yml @@ -5,6 +5,8 @@ on: paths: - 'version/rawversion/version.go' +permissions: {} + concurrency: # Cancel other in-progress runs on re-pushes group: ${{ github.workflow }}-${{ github.event.pull_request.number }} diff --git a/.github/workflows/needs-info-labeler.yaml b/.github/workflows/needs-info-labeler.yaml index 085cb189a5..aa048b27f5 100644 --- a/.github/workflows/needs-info-labeler.yaml +++ b/.github/workflows/needs-info-labeler.yaml @@ -3,6 +3,9 @@ on: issues: types: - labeled + +permissions: {} + jobs: add-comment: if: github.event.label.name == 'needs-info' diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml index 7040648261..4420e97ee1 100644 --- a/.github/workflows/release-artifacts.yml +++ b/.github/workflows/release-artifacts.yml @@ -15,13 +15,14 @@ on: - "true" # Must be quoted string, boolean value not supported. - "false" -permissions: - contents: write - actions: write +permissions: {} jobs: build: runs-on: ubuntu-24.04 + permissions: + contents: write + actions: write steps: # If the job fails, these details are all but impossible to observe.yy - name: Provide github event JSON for examination @@ -202,6 +203,8 @@ jobs: if: needs.build.outputs.uploaded == 'true' runs-on: ubuntu-24.04 needs: build + permissions: + contents: read steps: - name: Format release email id: format diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d88ea81b6c..94dd8c0985 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,6 +16,9 @@ on: - "true" # Must be quoted string, boolean value not supported. - "false" +permissions: + contents: read + jobs: check: name: Check @@ -374,6 +377,9 @@ jobs: name: Update podman.io uses: ./.github/workflows/update-podmanio.yml needs: [check, release] + permissions: + contents: write # to push to a branch + pull-requests: write # to read and create PRs if: needs.check.outputs.buildonly == 'false' secrets: inherit with: diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml index e80226eeea..d86deb5a8b 100644 --- a/.github/workflows/update-podmanio.yml +++ b/.github/workflows/update-podmanio.yml @@ -18,10 +18,15 @@ on: PODMANBOT_TOKEN: required: true +permissions: {} + jobs: bump: name: Bump runs-on: ubuntu-24.04 + permissions: + contents: write # to push to a branch + pull-requests: write # to read and create PRs steps: - name: Get version id: getversion diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml index d7a8b42099..fa2f9150ca 100644 --- a/.github/workflows/upload-win-installer.yml +++ b/.github/workflows/upload-win-installer.yml @@ -15,12 +15,13 @@ on: - "true" # Must be quoted string, boolean value not supported. - "false" -permissions: - contents: write +permissions: {} jobs: build: runs-on: windows-latest + permissions: + contents: write env: FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }} steps: