ci(StepSecurity): Harden GHA token permissions (#777)

---------

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: StepSecurity Bot <[email protected]>

Author: MaxymVlasov

.github/workflows/build-image-test.yaml

@@ -2,7 +2,11 @@
 
 name: Build Dockerfile if changed and run smoke tests
 
-on: [pull_request]
+on:
+  pull_request:
+
+permissions:
+  contents: read
 
 env:
   IMAGE_TAG: pr-test

.github/workflows/build-image.yaml

@@ -10,8 +10,15 @@ on:
   schedule:
   - cron: 00 00 * * *
 
+permissions:
+  contents: read
+
 jobs:
   docker:
+    permissions:
+      # for docker/build-push-action to publish docker image
+      packages: write
+
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code

.github/workflows/ci-cd.yml

@@ -15,6 +15,9 @@ on:
   pull_request:
   workflow_call:  # a way to embed the main tests
 
+permissions:
+  contents: read
+
 concurrency:
   group: >-
     ${{

.github/workflows/pr-title.yml

@@ -9,8 +9,17 @@ on:
     - edited
     - synchronize
 
+permissions:
+  contents: read
+
 jobs:
   main:
+    permissions:
+      # for amannn/action-semantic-pull-request to analyze PRs
+      pull-requests: read
+      # for amannn/action-semantic-pull-request to mark status of analyzed PR
+      statuses: write
+
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:

.github/workflows/pre-commit.yaml

@@ -2,10 +2,16 @@
 
 name: Common issues check
 
-on: [pull_request]
+on:
+  pull_request:
+
+permissions:
+  contents: read
 
 jobs:
   pre-commit:
+    permissions:
+      contents: write  # for pre-commit/action to push back fixes to PR branch
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

.github/workflows/release.yml

@@ -14,8 +14,20 @@ on:
     - .pre-commit-hooks.yaml
     # Ignore paths
     - '!tests/**'
+
+permissions:
+  contents: read
+
 jobs:
   release:
+    permissions:
+      # for cycjimmy/semantic-release-action to create a release
+      contents: write
+      # for cycjimmy/semantic-release-action to write comments to issues
+      issues: write
+      # for cycjimmy/semantic-release-action to write comments to PRs
+      pull-requests: write
+
     name: Release
     runs-on: ubuntu-latest
     steps:
@@ -34,4 +46,7 @@ jobs:
           @semantic-release/[email protected]
           @semantic-release/[email protected]
       env:
+        # Custom token for triggering Docker image build GH Workflow on release
+        # created by cycjimmy/semantic-release-action. Events created by
+        # workflows with default GITHUB_TOKEN not trigger other GH Workflow.
         GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }}

.github/workflows/reusable-tox.yml

@@ -83,6 +83,9 @@ on:
         description: Mandatory token for uploading to Codecov
         required: true
 
+permissions:
+  contents: read
+
 env:
   COLOR: >-  # Supposedly, pytest or coveragepy use this
     yes

.github/workflows/scheduled-runs.yml

@@ -10,6 +10,9 @@ on:
   - cron: 3 5 * * *  # run daily at 5:03 UTC
   workflow_dispatch:  # manual trigger
 
+permissions:
+  contents: read
+
 run-name: >-
   🌃
   Nightly run of

.github/workflows/stale-actions.yaml

@@ -5,8 +5,14 @@ on:
   schedule:
   - cron: 0 0 * * *
 
+permissions:
+  contents: read
+
 jobs:
   stale:
+    permissions:
+      issues: write  # for actions/stale to close stale issues
+      pull-requests: write  # for actions/stale to close stale PRs
     runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639  # v9.1.0