Fix: Ci/Cd permissions for security events in build_tiber.yml (#11)

Mionsz · web-flow · commit 56412391439e · 2024-12-03T11:26:29.000Z
Added scans on push action so that issues will be removed on merge:
* Fix: Ci/Cd permissions for security events in build_tiber.yml
* Update linters.yml
* Update dependency-review.yaml
* Update ci_documentation_update.yml
diff --git a/.github/workflows/build_tiber.yml b/.github/workflows/build_tiber.yml
@@ -28,6 +28,7 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 120
     permissions:
+      contents: read
       security-events: write
     steps:
     - name: "Preparation: Harden Runner"
@@ -79,8 +80,8 @@ jobs:
       uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
       with:
         image-ref: "${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
-        format: "sarif"
         output: "trivy-image-scan-tiber-${{ env.DOCKER_IMAGE_TAG }}.sarif"
+        format: "sarif"
 
     - name: "Finish: Upload Trivy scan results to GitHub Security tab"
       uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
@@ -91,6 +92,7 @@ jobs:
     name: "trivy config scans"
     runs-on: ubuntu-22.04
     permissions:
+      contents: read
       security-events: write
     steps:
     - name: "Preparation: Harden Runner"
@@ -121,6 +123,7 @@ jobs:
     name: "trivy fs scans"
     runs-on: ubuntu-22.04
     permissions:
+      contents: read
       security-events: write
     steps:
     - name: "Preparation: Harden Runner"
diff --git a/.github/workflows/ci_documentation_update.yml b/.github/workflows/ci_documentation_update.yml
@@ -1,6 +1,8 @@
 name: Publish Github Pages Template
 
 on:
+  push:
+    branches: [ 'main' ]
   workflow_call:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml
@@ -1,10 +1,18 @@
 # Source repository: https://github.com/actions/dependency-review-action
 name: scan-dependency-review
-on: [pull_request]
+on:
+  pull_request:
+    branches: [ 'main' ]
+  push:
+    branches: [ 'main' ]
 
 permissions:
   contents: read
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
+  cancel-in-progress: true
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -4,6 +4,9 @@ on:
   workflow_call:
   workflow_dispatch:
   pull_request:
+    branches: [ 'main' ]
+  push:
+    branches: [ 'main' ]
 
 env:  
   HADOLINT_RESULTS_FILE: hadolint.sarif
