Set permissions for GitHub token in workflows

ArBridgeman · ArBridgeman · commit 5f3a505d65c3 · 2025-05-09T16:18:52.000+02:00
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -2,6 +2,8 @@ name: Checks
 
 on:
   workflow_call:
+    permissions:
+      content: read
 
 jobs:
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -16,7 +16,11 @@ jobs:
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
+    permissions:
+      contents: read
 
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read
diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml
@@ -2,6 +2,8 @@ name: Build Matrix (All Versions)
 
 on:
   workflow_call:
+    permissions:
+      content: read
     outputs:
       matrix:
         description: "Generates the all versions build matrix"
diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml
@@ -2,6 +2,8 @@ name: Build Matrix (Exasol)
 
 on:
   workflow_call:
+    permissions:
+      content: read
     outputs:
       matrix:
         description: "Generates the exasol version build matrix"
diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml
@@ -2,6 +2,8 @@ name: Build Matrix (Python)
 
 on:
   workflow_call:
+    permissions:
+      content: read
     outputs:
       matrix:
         description: "Generates the python version build matrix"
diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -2,6 +2,8 @@ name: Status Report
 
 on:
   workflow_call:
+    permissions:
+      content: read
 
 jobs:
 
diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml
@@ -2,6 +2,8 @@ name: Slow-Checks
 
 on:
   workflow_call:
+    permissions:
+      content: read
 
 jobs:
 
diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md
@@ -13,10 +13,16 @@ This should also create a 'github-pages' environment, if it does not yet exist.
 For most repos using the PTB, the updating of the github pages only happens when a
 PR is merged to main, so please check post-merge that it worked as expected.
 
+With #422, we have hardened the security in our GitHub workflows by explicitly
+setting permissions to the default GitHub token. In a few repos who greatly differ
+from the default PTB setup, this might lead to small issues which require the allowed
+permissions to be increased for specific jobs.
+
 ## ⚒️ Refactorings
 
 * [#412](https://github.com/exasol/python-toolbox/issues/392):  Refactored pre commit hook package version.py into nox task
 
 ## Security
 
-* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages
+* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages
+* [#422](https://github.com/exasol/python-toolbox/issues/422): Set permissions within the GitHub workflows to restrict usage of the default GitHub token
diff --git a/exasol/toolbox/templates/github/workflows/ci.yml b/exasol/toolbox/templates/github/workflows/ci.yml
@@ -16,7 +16,11 @@ jobs:
   CI:
     uses: ./.github/workflows/merge-gate.yml
     secrets: inherit
+    permissions:
+      contents: read
 
   Metrics:
     needs: [ CI ]
     uses: ./.github/workflows/report.yml
+    permissions:
+      contents: read
