Setting job level permissions to workflows (#359)

satyakigh · web-flow · commit b6a2c21549a0 · 2025-12-10T17:18:34.000-05:00
diff --git a/.github/workflows/alpha-release.yml b/.github/workflows/alpha-release.yml
@@ -1,5 +1,5 @@
 name: Release Alpha
-run-name: Release Alpha ${{ github.actor }} ${{ github.event_name }}
+run-name: Release Alpha ${{ inputs.version }} ${{ github.actor }} ${{ github.event_name }}
 
 on:
   workflow_dispatch:
@@ -9,6 +9,9 @@ on:
         required: false
         default: 'main'
 
+permissions:
+  contents: read
+
 jobs:
   create-alpha-tag:
     runs-on: ubuntu-latest
@@ -42,9 +45,9 @@ jobs:
           fi
           
           git tag "$TAG"
-          git push origin "$TAG"
           echo "Created tag from branch=$(git rev-parse --abbrev-ref HEAD), commit=$(git rev-parse HEAD), tag=$(git describe --tags --exact-match)"
 
+          git push origin "$TAG"
           echo "tag=$TAG" >> $GITHUB_OUTPUT
 
   call-release:
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -8,6 +8,9 @@ on:
     - cron: '0 9 * * 3'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   get-configs:
     uses: ./.github/workflows/configs.yml
diff --git a/.github/workflows/beta-release.yml b/.github/workflows/beta-release.yml
@@ -4,6 +4,9 @@ run-name: Release Beta ${{ inputs.version }} ${{ github.actor }} ${{ github.even
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   create-beta-tag:
     runs-on: ubuntu-latest
@@ -30,9 +33,9 @@ jobs:
 
           TAG="v${PKG_VERSION}-beta"
           git tag "$TAG"
-          git push origin "$TAG"
           echo "Created tag from branch=$(git rev-parse --abbrev-ref HEAD), commit=$(git rev-parse HEAD), tag=$(git describe --tags --exact-match)"
 
+          git push origin "$TAG"
           echo "tag=$TAG" >> $GITHUB_OUTPUT
 
   call-release:
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -28,6 +28,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   get-configs:
     uses: ./.github/workflows/configs.yml
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -4,6 +4,9 @@ on:
   push:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build-and-test:
     uses: ./.github/workflows/build-and-test.yml
diff --git a/.github/workflows/configs.yml b/.github/workflows/configs.yml
@@ -13,6 +13,9 @@ on:
         description: "Application name"
         value: ${{ jobs.get-app-name.outputs.app-name }}
 
+permissions:
+  contents: read
+
 jobs:
   get-versions:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -5,6 +5,9 @@ on:
     types: [opened, edited, reopened, synchronize]
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   get-configs:
     uses: ./.github/workflows/configs.yml
diff --git a/.github/workflows/prod-release.yml b/.github/workflows/prod-release.yml
@@ -9,6 +9,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   promote-beta-to-prod:
     runs-on: ubuntu-latest
@@ -46,9 +49,9 @@ jobs:
           
           # Create and push production tag
           git tag "$PROD_TAG"
-          git push origin "$PROD_TAG"
-          
           echo "Created tag from branch=$(git rev-parse --abbrev-ref HEAD), commit=$(git rev-parse HEAD), tag=$(git describe --tags --exact-match)"
+
+          git push origin "$PROD_TAG"
           echo "tag=$PROD_TAG" >> $GITHUB_OUTPUT
 
   call-release:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,6 +16,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   get-configs:
     uses: ./.github/workflows/configs.yml
diff --git a/tools/benchmark.ts b/tools/benchmark.ts
@@ -1,5 +1,13 @@
 #!/usr/bin/env node --expose-gc
 
+import { TelemetryService } from '../src/telemetry/TelemetryService';
+import { LoggerFactory } from '../src/telemetry/LoggerFactory';
+
+LoggerFactory.initialize('silent');
+TelemetryService.initialize(undefined, {
+    telemetryEnabled: false,
+});
+
 import { ContextManager } from '../src/context/ContextManager';
 import { SyntaxTreeManager } from '../src/context/syntaxtree/SyntaxTreeManager';
 import { readFileSync, writeFileSync, readdirSync, existsSync, mkdirSync } from 'fs';
@@ -9,8 +17,6 @@ import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 import { discoverTemplateFiles, generatePositions, TestPosition } from './utils';
 import { DocumentType } from '../src/document/Document';
-import { TelemetryService } from '../src/telemetry/TelemetryService';
-import { LoggerFactory } from '../src/telemetry/LoggerFactory';
 
 /**
  * This script benchmarks the performance of context resolution for CloudFormation templates,
@@ -854,11 +860,6 @@ function main(): void {
             process.exit(1);
         }
 
-        LoggerFactory.initialize('silent');
-        TelemetryService.initialize(undefined, {
-            telemetryEnabled: false,
-        });
-
         console.log(`📋 Found ${templateFiles.length} template files (sorted by size):`);
         for (const { name, documentType, size } of templateFiles) {
             const sizeKB = (size / 1024).toFixed(2);
