Fix top level permissions in workflows

jt-nti · jt-nti · commit 17198e9d16ca · 2025-02-07T18:35:20.000Z
Permissions should be read only by default Also updates Dockerfile Related to #174 Signed-off-by: James Taylor <jamest@uk.ibm.com>
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -16,11 +16,6 @@ on:
         required: false
         type: string
 
-permissions:
-  contents: read
-  packages: write
-  id-token: write
-
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/go-contract-image.yml b/.github/workflows/go-contract-image.yml
@@ -17,6 +17,10 @@ on:
 jobs:
   docker_build:
     name: Docker build
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     uses: ./.github/workflows/docker-build.yml
     with:
       image-name: ghcr.io/hyperledger-labs/fabric-builder-k8s/sample-go-contract
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -15,6 +15,8 @@ on:
       - 'docs/**'
       - 'samples/**'
 
+permissions: read-all
+
 jobs:
 
   build:
@@ -24,6 +26,9 @@ jobs:
         os: [ubuntu-latest, macOS-13]
         goarch: [amd64, arm64]
 
+    permissions:
+      contents: write
+
     env:
       GOARCH: ${{ matrix.goarch }}
 
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -15,8 +15,7 @@ on:
       - 'docs/**'
       - 'samples/**'
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   golangci:
diff --git a/.github/workflows/java-contract-image.yml b/.github/workflows/java-contract-image.yml
@@ -17,6 +17,10 @@ on:
 jobs:
   docker_build:
     name: Docker build
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     uses: ./.github/workflows/docker-build.yml
     with:
       image-name: ghcr.io/hyperledger-labs/fabric-builder-k8s/sample-java-contract
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -11,10 +11,7 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: read-all
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -54,6 +51,10 @@ jobs:
   # Deployment job
   deploy:
     if: github.event_name == 'push'
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/node-contract-image.yml b/.github/workflows/node-contract-image.yml
@@ -17,6 +17,10 @@ on:
 jobs:
   docker_build:
     name: Docker build
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
     uses: ./.github/workflows/docker-build.yml
     with:
       image-name: ghcr.io/hyperledger-labs/fabric-builder-k8s/sample-node-contract
diff --git a/.github/workflows/peer-image.yml b/.github/workflows/peer-image.yml
@@ -18,6 +18,8 @@ on:
       - 'docs/**'
       - 'samples/**'
 
+permissions: read-all
+
 jobs:
   docker_build:
     name: Docker build
diff --git a/.github/workflows/status-checks-docker.yml b/.github/workflows/status-checks-docker.yml
@@ -3,6 +3,8 @@ name: Skip docker status checks
 on:
   workflow_call:
 
+permissions: read-all
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/status-checks.yml b/.github/workflows/status-checks.yml
@@ -7,6 +7,8 @@ on:
       - 'docs/**'
       - 'samples/**'
 
+permissions: read-all
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/Dockerfile b/Dockerfile
@@ -1,11 +1,14 @@
-ARG UBUNTU_VER=20.04
+ARG UBUNTU_VER=24.04
 ARG HLF_VERSION=2.5
 
 FROM ubuntu:${UBUNTU_VER} AS build
 ARG GO_VER=1.23.0
 ENV GOPATH=/go
 
-RUN apt update && apt install -y \
+ENV DEBIAN_FRONTEND="noninteractive"
+RUN apt-get update && apt-get install -y -q --no-install-recommends \
+    ca-certificates \
+    build-essential \
     git \
     gcc \
     curl \
@@ -17,11 +20,13 @@ ENV PATH="/usr/local/go/bin:$PATH"
 ADD . $GOPATH/src/github.com/hyperledger-labs/fabric-builder-k8s
 WORKDIR $GOPATH/src/github.com/hyperledger-labs/fabric-builder-k8s
 
-RUN go install ./cmd/...
+RUN go install -a -v ./cmd/...
 
 FROM hyperledger/fabric-peer:${HLF_VERSION} AS core
 
-RUN apt update && apt install -y \
+ENV DEBIAN_FRONTEND="noninteractive"
+RUN apt-get update && apt-get install -y -q --no-install-recommends \
+    ca-certificates \
     wget
 
 RUN wget https://github.com/mikefarah/yq/releases/download/v4.23.1/yq_linux_$(dpkg --print-architecture) -O /usr/bin/yq && chmod +x /usr/bin/yq
