From df6c0bcdaf665b3319af507ebd03887a03696f83 Mon Sep 17 00:00:00 2001 From: Rudransh Shrivastava Date: Fri, 29 May 2026 14:00:05 +0530 Subject: [PATCH] .github: enforce least privilege permissions for action jobs Signed-off-by: Rudransh Shrivastava --- .github/workflows/build.yml | 5 +++-- .github/workflows/check-licenses.yml | 6 ++++-- .github/workflows/codeql-analysis-go.yml | 2 ++ .github/workflows/docs.yaml | 8 +++++--- .github/workflows/main.yml | 11 ++++++++--- .github/workflows/vmui.yml | 12 ++++++------ 6 files changed, 28 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index fe400bca4..069ee103e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,8 +20,7 @@ on: - '!app/vmui/Makefile' - '.github/workflows/build.yml' -permissions: - contents: read +permissions: {} concurrency: cancel-in-progress: true @@ -30,6 +29,8 @@ concurrency: jobs: build: name: Build + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Code checkout diff --git a/.github/workflows/check-licenses.yml b/.github/workflows/check-licenses.yml index d2fff6d1d..56a1cd026 100644 --- a/.github/workflows/check-licenses.yml +++ b/.github/workflows/check-licenses.yml @@ -6,12 +6,14 @@ on: pull_request: paths: - 'vendor' -permissions: - contents: read + +permissions: {} jobs: build: name: Build + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Code checkout diff --git a/.github/workflows/codeql-analysis-go.yml b/.github/workflows/codeql-analysis-go.yml index f969b63d2..975aa3d75 100644 --- a/.github/workflows/codeql-analysis-go.yml +++ b/.github/workflows/codeql-analysis-go.yml @@ -16,6 +16,8 @@ concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} +permissions: {} + jobs: analyze: name: Analyze diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 52857789c..129f456a5 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -7,12 +7,14 @@ on: - 'docs/**' - '.github/workflows/docs.yaml' workflow_dispatch: {} -permissions: - contents: read # This is required for actions/checkout and to commit back image update - deployments: write + +permissions: {} + jobs: build: name: Build + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Code checkout diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index dacdc50e4..d2d1f9311 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,16 +18,17 @@ on: - 'go.*' - '.github/workflows/main.yml' -permissions: - contents: read - concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} +permissions: {} + jobs: lint: name: lint + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Code checkout @@ -58,6 +59,8 @@ jobs: test: name: test needs: lint + permissions: + contents: read runs-on: ubuntu-latest strategy: @@ -94,6 +97,8 @@ jobs: integration-test: name: integration-test needs: [lint, test] + permissions: + contents: read runs-on: ubuntu-latest steps: diff --git a/.github/workflows/vmui.yml b/.github/workflows/vmui.yml index 981063fcc..0bf1a2f28 100644 --- a/.github/workflows/vmui.yml +++ b/.github/workflows/vmui.yml @@ -14,19 +14,19 @@ on: - 'app/vmui/packages/vmui/**' - '.github/workflows/vmui.yml' -permissions: - contents: read - packages: read - pull-requests: read - checks: write - concurrency: cancel-in-progress: true group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} +permissions: {} + jobs: vmui-checks: name: VMUI Checks (lint, test, typecheck) + permissions: + checks: write + contents: read + pull-requests: read runs-on: ubuntu-latest steps: - name: Code checkout