Merge pull request #401 from Staffbase/security/define-job-level-permissions

security: define permissions at job level in all workflows

Author: 0x46616c6b

.github/workflows/cla.yml

@@ -9,6 +9,11 @@ on:
 jobs:
   CLAssistant:
     runs-on: ubuntu-slim
+    permissions:
+      actions: read
+      contents: write
+      pull-requests: write
+      statuses: write
     steps:
       - name: "CLA Assistant"
         if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request'

.github/workflows/release-drafter.yml

@@ -8,5 +8,8 @@ on:
 jobs:
   update_release_draft:
     uses: Staffbase/gha-workflows/.github/workflows/template_release_drafter.yml@main
+    permissions:
+      contents: write
+      pull-requests: read
     secrets:
       token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/template_autodev.yml

@@ -54,9 +54,10 @@ on:
 
 jobs:
   autodev:
-
     name: Build Dev Branch
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
 
     # check to not trigger if dependabot did something or PR was closed or label is not the configured dev label
     if: github.actor != 'dependabot[bot]' && (github.event_name == 'push' || github.event.label.name == inputs.label || github.event.action == 'closed')

.github/workflows/template_automerge_dependabot.yml

@@ -30,10 +30,9 @@ on:
 
 jobs:
   dependabot:
-
     name: auto-merge
     runs-on: ubuntu-slim
-
+    permissions: {}
     if: github.event.pull_request.user.login == 'dependabot[bot]'
 
     steps:

.github/workflows/template_changeset_check.yml

@@ -7,6 +7,9 @@ jobs:
     name: changeset-check
     if: (!contains(github.event.pull_request.user.login , '[bot]'))
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

.github/workflows/template_changeset_release.yml

@@ -33,6 +33,8 @@ jobs:
   release:
     name: changeset-release
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
     steps:
       - name: Get App Token
         uses: actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94  # v2.2.0

.github/workflows/template_flaky_tests.yml

@@ -33,6 +33,7 @@ jobs:
   flaky-tests:
     name: Flaky-Tests
     runs-on: ubuntu-slim
+    permissions: {}
     steps:
       - name: Find flaky tests
         uses: Staffbase/github-action-find-flaky-tests@166ee4950d01688cea6a229e6c20ba28ce66c645  # v0.3.1

.github/workflows/template_gitops.yml

@@ -106,6 +106,8 @@ jobs:
     name: GitOps
     runs-on: ${{ inputs.runs-on }}
     if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: read
 
     env:
       USING_APP_CREDENTIALS: ${{ secrets.app-id != '' && secrets.private-key != '' }}

.github/workflows/template_jira_tagging.yml

@@ -20,9 +20,10 @@ on:
 
 jobs:
   jira-annotate:
-
     name: Annotate all occurring tickets since last release-tag
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout

.github/workflows/template_launchdarkly_code_references.yml

@@ -13,9 +13,10 @@ on:
 
 jobs:
   launchDarklyCodeReferences:
-
     name: Find LaunchDarkly flag code references
     runs-on: ubuntu-slim
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout