From 68a8fd78116723be9ab2576e46cf7c543824377c Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:17 -0400 Subject: [PATCH 01/10] ci: scope down permissions for docker-publish.yaml --- .github/workflows/docker-publish.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/docker-publish.yaml b/.github/workflows/docker-publish.yaml index 2d57124d76..1413eacbe0 100644 --- a/.github/workflows/docker-publish.yaml +++ b/.github/workflows/docker-publish.yaml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: build-and-push-to-registry: name: Build and push container image From 766ce80ebe9269a0413bbf74aea4530b71ea5cc8 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:19 -0400 Subject: [PATCH 02/10] ci: scope down permissions for publish-docs.yaml --- .github/workflows/publish-docs.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index e5fe1721ac..bdb9d5f595 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -3,6 +3,9 @@ name: Publish docs on: release: types: [published] +permissions: + contents: read + jobs: publish-docs: name: Publish docs to Netlify From 50aca3afdbcacce3a6ee788ee3667f05555776f2 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:21 -0400 Subject: [PATCH 03/10] ci: scope down permissions for release-merge.yaml --- .github/workflows/release-merge.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-merge.yaml b/.github/workflows/release-merge.yaml index 2dd0542ee6..75bece6568 100644 --- a/.github/workflows/release-merge.yaml +++ b/.github/workflows/release-merge.yaml @@ -6,6 +6,10 @@ on: env: VERSION_FILE: pkg/version/release.go DEFAULT_BRANCH: main +permissions: + contents: write + pull-requests: write + jobs: merge_release: name: Merge release From a03e02d8866e0c91631995d10e09db8229802fb4 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:23 -0400 Subject: [PATCH 04/10] ci: scope down permissions for publish-release.yaml --- .github/workflows/publish-release.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml index 1fbed1c62a..575b9dd8d3 100644 --- a/.github/workflows/publish-release.yaml +++ b/.github/workflows/publish-release.yaml @@ -12,6 +12,9 @@ on: customToken: required: true +permissions: + contents: write + jobs: publish-release: name: ${{ inputs.isReleaseCandidate && 'prerelease' || 'release' }} From f9d7ebcd80d29e3c9844909112345d330009a1b4 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:24 -0400 Subject: [PATCH 05/10] ci: scope down permissions for release-candidate.yaml --- .github/workflows/release-candidate.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release-candidate.yaml b/.github/workflows/release-candidate.yaml index bb9bbf1075..14ab850c4e 100644 --- a/.github/workflows/release-candidate.yaml +++ b/.github/workflows/release-candidate.yaml @@ -3,6 +3,10 @@ name: Trigger Release Candidate on: workflow_dispatch: {} +permissions: + contents: write + pull-requests: write + jobs: rc: name: Push release candidate tag From 200d9fb5e33c54fbf392d683ef93a6556014018b Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:26 -0400 Subject: [PATCH 06/10] ci: scope down permissions for release.yaml --- .github/workflows/release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 51ebb55399..de2383d5d9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,6 +3,10 @@ name: Trigger Release on: workflow_dispatch: {} +permissions: + contents: write + pull-requests: write + jobs: rc: name: Push release tag From 611a46cc0d286b34418d6c73afa130649c9854d9 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:28 -0400 Subject: [PATCH 07/10] ci: scope down permissions for test-and-build.yaml --- .github/workflows/test-and-build.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test-and-build.yaml b/.github/workflows/test-and-build.yaml index cb57b5b023..e22f37d7de 100644 --- a/.github/workflows/test-and-build.yaml +++ b/.github/workflows/test-and-build.yaml @@ -4,6 +4,9 @@ on: pull_request: {} workflow_call: {} +permissions: + contents: read + jobs: unit-test: name: Unit tests From d48cf43d909d18652a759a6ad46086447a8d500a Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:30 -0400 Subject: [PATCH 08/10] ci: scope down permissions for build-all-distros-nightly.yaml --- .github/workflows/build-all-distros-nightly.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-all-distros-nightly.yaml b/.github/workflows/build-all-distros-nightly.yaml index 9f02f288a9..8bc73547d8 100644 --- a/.github/workflows/build-all-distros-nightly.yaml +++ b/.github/workflows/build-all-distros-nightly.yaml @@ -4,6 +4,9 @@ on: - cron: '0 9 * * 1-5' workflow_dispatch: {} +permissions: + contents: read + jobs: build-all-distros: name: build all distros From c1fe5a50c985b4e236f677206632732ec087c76f Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:32 -0400 Subject: [PATCH 09/10] ci: scope down permissions for pr-labels.yaml --- .github/workflows/pr-labels.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml index 1734c815ef..ee98de21b9 100644 --- a/.github/workflows/pr-labels.yaml +++ b/.github/workflows/pr-labels.yaml @@ -4,6 +4,9 @@ on: pull_request: types: [labeled, unlabeled, opened, edited, synchronize] +permissions: + contents: read + jobs: enforce-kind: name: Enforce a valid PR category From 201fb8c8ce0b69841af9304bc800ed1532f7e203 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 16:22:34 -0400 Subject: [PATCH 10/10] ci: scope down permissions for homebrew-update.yml --- .github/workflows/homebrew-update.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/homebrew-update.yml b/.github/workflows/homebrew-update.yml index d2754972e0..47c6b124f8 100644 --- a/.github/workflows/homebrew-update.yml +++ b/.github/workflows/homebrew-update.yml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + issues: write + jobs: notify-homebrew: runs-on: ubuntu-latest