CI: be explicit about the permissions required for each workflow / job

benbz · benbz · commit a45dae83bdd5 · 2025-06-30T16:53:28.000+01:00
diff --git a/.github/workflows/actions-linting.yml b/.github/workflows/actions-linting.yml
@@ -11,6 +11,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   action-validator:
     runs-on: ubuntu-latest
@@ -60,3 +63,21 @@ jobs:
           echo "$unpinned_actions"
           exit 1
         fi
+
+  explicit-permissions:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
+
+    - name: Find workflows that have jobs that rely on the default permissions
+      run: |
+        workflows_with_implicit_permissions=$(
+          find .github/workflows -type f \( -iname \*.yaml -o -iname \*.yml \) -print0 \
+            | xargs -0 -I {} yq '{filename: ([.jobs.* | has("permissions")] | all) or (. | has("permissions"))}' {} \
+            | grep -E 'false$' || true)
+        if [ "$workflows_with_implicit_permissions" != "" ]; then
+          echo "There are workflows that have not set permissions either globally or for all jobs:"
+          echo "$workflows_with_implicit_permissions"
+          exit 1
+        fi
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -10,6 +10,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   # We build from source and commit all generated file changes so that we can see the impact in PRs
   # We want to ensure that the commit of built changes does happen, so fail if building creates changes
diff --git a/.github/workflows/changelog_check.yml b/.github/workflows/changelog_check.yml
@@ -6,6 +6,9 @@ name: Changelog
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   check-newsfile:
     if: ${{ (github.base_ref == 'main'  || contains(github.base_ref, 'release-')) && github.actor != 'dependabot[bot]' && github.actor != 'github-actions[bot]' }}
diff --git a/.github/workflows/licensing.yml b/.github/workflows/licensing.yml
@@ -11,6 +11,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/matrix-tools.yml b/.github/workflows/matrix-tools.yml
@@ -17,12 +17,11 @@ env:
   REGISTRY_IMAGE: ghcr.io/${{ github.repository }}/matrix-tools
   GO_VERSION: "1.24"
 
-permissions:
-  contents: read
-  packages: read
-
 jobs:
   tests:
+    permissions:
+      contents: read
+      packages: read
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4
diff --git a/.github/workflows/scripts-linting.yml b/.github/workflows/scripts-linting.yml
@@ -11,6 +11,9 @@ on:
     - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   shellcheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/templates-dyff.yml b/.github/workflows/templates-dyff.yml
@@ -6,6 +6,9 @@ name: dyff of rendered templates
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   generate-dyff:
     runs-on: ubuntu-latest
diff --git a/newsfragments/589.internal.2.md b/newsfragments/589.internal.2.md
@@ -0,0 +1 @@
+CI: be explicit about what permissions are workflow/job requires

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+CI: be explicit about what permissions are workflow/job requires`