fix: [DevOps] CodeQL Security findings (#540)

CharlesDuboisSAP · web-flow · commit 420ad824ea19 · 2025-08-14T13:30:25.000Z
diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
@@ -15,6 +15,8 @@ jobs:
 
   continuous-integration:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
 
       - name: "Checkout repository"
diff --git a/.github/workflows/dependency-test.yaml b/.github/workflows/dependency-test.yaml
@@ -10,6 +10,8 @@ env:
 jobs:
   fetch-dependency-versions:
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
     outputs:
       versions: ${{ steps.fetch-versions.outputs.VERSIONS }}
 
@@ -75,6 +77,8 @@ jobs:
       matrix:
         version: ${{ fromJson(needs.fetch-dependency-versions.outputs.versions) }}
     continue-on-error: true
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v4
diff --git a/.github/workflows/deploy-snapshot.yaml b/.github/workflows/deploy-snapshot.yaml
@@ -7,9 +7,11 @@ on:
 
 jobs:
   deploy-snapshot:
-    name: Deploy Snapshot
+    name: "Deploy Snapshot"
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v4
diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml
@@ -10,6 +10,8 @@ env:
 
 jobs:
   end-to-end-tests:
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -41,6 +43,12 @@ jobs:
       - name: "Run tests"
         id: run_tests
         run: |
+          if [ "${{ matrix.environment }}" = "canary" ]; then
+              export AICORE_SERVICE_KEY="${{ secrets.AI_CORE_CANARY }}"
+          else
+              export AICORE_SERVICE_KEY="${{ secrets.AI_CORE_PRODUCTION }}"
+          fi
+          
           MVN_ARGS="${{ env.MVN_MULTI_THREADED_ARGS }} surefire:test -pl :spring-app -DskipTests=false"
           mvn $MVN_ARGS "-Daicore.landscape=${{ matrix.environment }}" | tee mvn_output.log # tee writes to both the console and a file
 
@@ -60,10 +68,17 @@ jobs:
           fi
         env:
           # See "End-to-end test application instructions" on the README.md to update the secret
-          AICORE_SERVICE_KEY: ${{ secrets[matrix.secret-name] }}
+          AI_CORE_PRODUCTION: ${{ secrets.production }}
+          AI_CORE_CANARY: ${{ secrets.canary }}
 
       - name: "Start Application Locally"
         run: |
+          if [ "${{ matrix.environment }}" = "canary" ]; then
+              export AICORE_SERVICE_KEY="${{ secrets.AI_CORE_CANARY }}"
+          else
+              export AICORE_SERVICE_KEY="${{ secrets.AI_CORE_PRODUCTION }}"
+          fi
+          
           cd sample-code/spring-app
           mvn spring-boot:run &
           timeout=15
@@ -77,7 +92,8 @@ jobs:
           done
         env:
           # See "End-to-end test application instructions" on the README.md to update the secret
-          AICORE_SERVICE_KEY: ${{ secrets[matrix.secret-name] }}
+          AI_CORE_PRODUCTION: ${{ secrets.production }}
+          AI_CORE_CANARY: ${{ secrets.canary }}
 
       - name: "Health Check"
         # print response body with headers to stdout.  q:body only  O:print  -:stdout  S:headers
diff --git a/.github/workflows/fosstars-report.yml b/.github/workflows/fosstars-report.yml
@@ -13,8 +13,10 @@ env:
 
 jobs:
   create_fosstars_report:
-    runs-on: ubuntu-latest
     name: "Security rating"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v4
diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml
@@ -28,6 +28,8 @@ jobs:
       release-commit: ${{ steps.prepare-release.outputs.RELEASE_COMMIT_ID }}
       release-tag: ${{ steps.prepare-release.outputs.TAG_NAME }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v4
@@ -155,6 +157,9 @@ jobs:
     outputs:
       pr-url: ${{ steps.create-release-notes-pr.outputs.PR_URL }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: "Checkout Code Repository"
         uses: actions/checkout@v4
@@ -233,6 +238,9 @@ jobs:
     outputs:
       pr-url: ${{ steps.create-code-pr.outputs.PR_URL }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v4
diff --git a/.github/workflows/weekly-spec-update.yaml b/.github/workflows/weekly-spec-update.yaml
@@ -7,6 +7,9 @@ on:
 jobs:
   update-all-specs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
 
     strategy:
       matrix:
