ci(security): reduce the workflow permissions to read-all

sxd · sxd · commit 070ef547ee26 · 2025-05-27T14:09:44.000+02:00
By default all the workflows should have read-all permissions and any extra permission required should be added explicitly per job. Closes #84 Signed-off-by: Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>
diff --git a/.github/workflows/build-commitfest.yml b/.github/workflows/build-commitfest.yml
@@ -15,6 +15,8 @@ defaults:
     # default failure handling for shell scripts in 'run' steps
     shell: 'bash -Eeuo pipefail -x {0}'
 
+permissions: read-all
+
 jobs:
   build-pg:
     name: Build the patch for PostgreSQL
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -20,6 +20,8 @@ defaults:
     # default failure handling for shell scripts in 'run' steps
     shell: 'bash -Eeuo pipefail -x {0}'
 
+permissions: read-all
+
 jobs:
   build-pg:
     name: Build generic PostgreSQL image from sources
diff --git a/.github/workflows/continuous-delivery.yml b/.github/workflows/continuous-delivery.yml
@@ -19,6 +19,8 @@ defaults:
     # default failure handling for shell scripts in 'run' steps
     shell: 'bash -Eeuo pipefail -x {0}'
 
+permissions: read-all
+
 jobs:
   build-pg:
     name: Build the Trunk of PostgreSQL
diff --git a/.github/workflows/reusable-e2e.yml b/.github/workflows/reusable-e2e.yml
@@ -37,10 +37,14 @@ defaults:
     # default failure handling for shell scripts in 'run' steps
     shell: 'bash -Eeuo pipefail -x {0}'
 
+permissions: read-all
+
 jobs:
   e2e-local:
     name: Run E2E on local executors
     runs-on: ubuntu-24.04
+    permissions:
+      packages: write
     env:
       TEST_DEPTH: ${{ inputs.test_depth }}
       FEATURE_TYPE: ${{ inputs.feature_type }}
diff --git a/.github/workflows/run-e2e-test.yml b/.github/workflows/run-e2e-test.yml
@@ -19,6 +19,8 @@ on:
         description: 'E2E feature type filter. See https://github.com/cloudnative-pg/cloudnative-pg/blob/main/contribute/e2e_testing_environment/README.md#using-feature-type-test-selectionfilter'
         required: false
 
+permissions: read-all
+
 jobs:
   evaluate-env:
     name: Evaluate input env variables
@@ -62,6 +64,8 @@ jobs:
     needs:
       - evaluate-env
     uses: ./.github/workflows/reusable-e2e.yml
+    permissions:
+      packages: write
     with:
       postgres_img: ${{ needs.evaluate-env.outputs.pg_image }}
       major_version: ${{ needs.evaluate-env.outputs.pg_major }}
