ci: specify workflow permissions per job

Also remove some unnecessary permissions: * The notification job in release-artifacts.yml only needs to read repo contents, not write contents and actions. * All jobs in release.yml except "Create release" and "Update podman.io" only need to read repo contents. "Update podman.io" only needs to write repo contents and pull requests. * Likewise, permissions for update-podmanio.yml can be restricted to only writing repo contents and pull requests. Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
2026-02-05 06:45:31 +01:00 · 2025-12-01 07:30:41 -05:00
parent 248d8f64a6
commit 30495081b7
10 changed files with 44 additions and 12 deletions
--- a/.github/workflows/dev-bump.yml
+++ b/.github/workflows/dev-bump.yml
@@ -3,10 +3,16 @@ on:
  push:
    tags:
      - '*'
+
+permissions: {}
+
 jobs:
  bump:
    name: Bump to -dev
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to create and push to a branch
+      pull-requests: write # to read and create pull requests
    steps:
      - uses: actions/checkout@v6
        with:
@@ -77,6 +83,9 @@ jobs:
  mainbump:
    name: Bump on main
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to create and push to a branch
+      pull-requests: write # to read and create pull requests
    env:
      GH_TOKEN: ${{ github.token }}
    steps:
--- a/.github/workflows/first_contrib_cert_generator.yml
+++ b/.github/workflows/first_contrib_cert_generator.yml
@@ -16,11 +16,7 @@ on:
        description: 'The pull request number'
        required: true

-# Permissions needed for this workflow.
-permissions:
-  contents: read  # Write access for certificate storage
-  pull-requests: write  # Write access to comment on PRs
-  actions: read  # Read access for workflow actions
+permissions: {}

 jobs:
  screenshot_and_comment:
@@ -28,6 +24,10 @@ jobs:
    # The logic for first-time contributors is handled in a dedicated step below.
    if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read  # Write access for certificate storage
+      pull-requests: write  # Write access to comment on PRs
+      actions: read  # Read access for workflow actions
    steps:
      # Step 1: Check if this is the contributor's first merged PR.
      # This step is the source of truth and will control the execution of subsequent steps.
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -3,6 +3,8 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target

+permissions: {}
+
 jobs:
  triage:
    permissions:
--- a/.github/workflows/mac-pkg.yml
+++ b/.github/workflows/mac-pkg.yml
@@ -15,12 +15,13 @@ on:
          - "true"  # Must be quoted string, boolean value not supported.
          - "false"

-permissions:
-  contents: write
+permissions: {}

 jobs:
  build:
    runs-on: macos-latest
+    permissions:
+      contents: write
    env:
      APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
      CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
--- a/.github/workflows/machine-os-pr.yml
+++ b/.github/workflows/machine-os-pr.yml
@@ -5,6 +5,8 @@ on:
    paths:
      - 'version/rawversion/version.go'

+permissions: {}
+
 concurrency:
  # Cancel other in-progress runs on re-pushes
  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
--- a/.github/workflows/needs-info-labeler.yaml
+++ b/.github/workflows/needs-info-labeler.yaml
@@ -3,6 +3,9 @@ on:
  issues:
    types:
      - labeled
+
+permissions: {}
+
 jobs:
  add-comment:
    if: github.event.label.name == 'needs-info'
--- a/.github/workflows/release-artifacts.yml
+++ b/.github/workflows/release-artifacts.yml
@@ -15,13 +15,14 @@ on:
          - "true"  # Must be quoted string, boolean value not supported.
          - "false"

-permissions:
-  contents: write
-  actions: write
+permissions: {}

 jobs:
  build:
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      actions: write
    steps:
      # If the job fails, these details are all but impossible to observe.yy
      - name: Provide github event JSON for examination
@@ -202,6 +203,8 @@ jobs:
    if: needs.build.outputs.uploaded == 'true'
    runs-on: ubuntu-24.04
    needs: build
+    permissions:
+      contents: read
    steps:
      - name: Format release email
        id: format
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,6 +16,9 @@ on:
          - "true"  # Must be quoted string, boolean value not supported.
          - "false"

+permissions:
+  contents: read
+
 jobs:
  check:
    name: Check
@@ -374,6 +377,9 @@ jobs:
    name: Update podman.io
    uses: ./.github/workflows/update-podmanio.yml
    needs: [check, release]
+    permissions:
+      contents: write # to push to a branch
+      pull-requests: write # to read and create PRs
    if: needs.check.outputs.buildonly == 'false'
    secrets: inherit
    with:
--- a/.github/workflows/update-podmanio.yml
+++ b/.github/workflows/update-podmanio.yml
@@ -18,10 +18,15 @@ on:
      PODMANBOT_TOKEN:
        required: true

+permissions: {}
+
 jobs:
  bump:
    name: Bump
    runs-on: ubuntu-24.04
+    permissions:
+      contents: write # to push to a branch
+      pull-requests: write # to read and create PRs
    steps:
      - name: Get version
        id: getversion
--- a/.github/workflows/upload-win-installer.yml
+++ b/.github/workflows/upload-win-installer.yml
@@ -15,12 +15,13 @@ on:
          - "true"  # Must be quoted string, boolean value not supported.
          - "false"

-permissions:
-  contents: write
+permissions: {}

 jobs:
  build:
    runs-on: windows-latest
+    permissions:
+      contents: write
    env:
      FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }}
    steps: