ci(workflows): enhance permissions for jobs (#36)

DariuszPorowski · web-flow · commit 53f3ede34172 · 2025-12-01T11:46:55.000-08:00
Signed-off-by: Dariusz Porowski &lt;3431813+DariuszPorowski@users.noreply.github.com&gt;
diff --git a/.github/workflows/devops-boards.yml b/.github/workflows/devops-boards.yml
@@ -11,14 +11,15 @@ concurrency:
   group: issue-${{ github.event.issue.number }}
   cancel-in-progress: false
 
-# Extra permissions needed to login with Entra ID service principal via federated identity
-permissions:
-  id-token: write
-  issues: write
+permissions: {}
 
 jobs:
   ado:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      id-token: write
+      issues: write
     environment:
       name: issues
     steps:
@@ -36,19 +37,19 @@ jobs:
         run: |
           # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
-          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)
-          echo "::add-mask::$ADO_TOKEN"
-          echo "ADO_TOKEN=$ADO_TOKEN" >> $GITHUB_ENV
+          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken --output tsv)
+          echo "::add-mask::${ADO_TOKEN}"
+          echo "ADO_TOKEN=${ADO_TOKEN}" >> "${GITHUB_ENV}"
 
       - name: Sync issue to Azure DevOps
         uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5
         env:
           ado_token: ${{ env.ADO_TOKEN }}
-          github_token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
+          github_token: ${{ github.token }}
           ado_organization: azure-octo
           ado_project: Incubations
-          ado_area_path: "Incubations\\Radius"
-          ado_iteration_path: "Incubations\\Radius"
+          ado_area_path: Incubations\\Radius
+          ado_iteration_path: Incubations\\Radius
           ado_new_state: New
           ado_active_state: Active
           ado_close_state: Closed
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -12,18 +12,25 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   build:
     name: Build Hugo Website
     if: github.event.action != 'closed'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     env:
       GOVER: "^1.17"
       HUGO_ENV: production
       SWA_BASE: brave-pond-00b49761e
     steps:
       - name: Checkout website repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
 
       - name: Setup Hugo
         uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0
@@ -33,7 +40,7 @@ jobs:
 
       - name: Build Hugo Site
         run: |
-          if [ $GITHUB_EVENT_NAME == 'pull_request' ]; then
+          if [ "${GITHUB_EVENT_NAME}" == 'pull_request' ]; then
             STAGING_URL="https://${SWA_BASE}-${{github.event.number}}.3.azurestaticapps.net/"
           fi
           hugo ${STAGING_URL+-b "$STAGING_URL"}
@@ -47,8 +54,9 @@ jobs:
 
   deploy:
     name: Deploy Hugo Website
-    needs: ["build"]
-    runs-on: ubuntu-latest
+    needs: [build]
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     environment:
       name: latest
       url: https://radapp.io
@@ -64,7 +72,7 @@ jobs:
         with:
           azure_static_web_apps_api_token: ${{ secrets.SWA_TOKEN }}
           skip_deploy_on_missing_secrets: true
-          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          repo_token: ${{ github.token }}
           action: upload
           app_location: site/
           api_location: site/
diff --git a/.github/workflows/spellcheck.yaml b/.github/workflows/spellcheck.yaml
@@ -14,6 +14,8 @@ on:
       - v*.*
       - edge
 
+permissions: {}
+
 env:
   ACTION_LINK: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
 
@@ -23,28 +25,35 @@ concurrency:
 jobs:
   spellcheck:
     name: Spellcheck
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     steps:
-      - name: Checkout docs
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - name: Checkout
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
 
       - name: Spellcheck
         uses: rojopolis/spellcheck-github-actions@6f2326b663e2dbab920da0fc4144b9f3202434ba # 0.54.0
         with:
           config_path: .github/config/.pyspelling.yml
 
-      - name: Post GitHub workkflow output on failure
+      - name: Post GitHub workflow output on failure
         if: failure()
         run: |
-          echo "## :x: Spellcheck Failed" >> $GITHUB_STEP_SUMMARY
-          echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." >> $GITHUB_STEP_SUMMARY
-          echo "### Adding new words" >> $GITHUB_STEP_SUMMARY
-          echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## :x: Spellcheck Failed"
+            echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing."
+            echo "### Adding new words"
+            echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)"
+          } >> "${GITHUB_STEP_SUMMARY}"
 
       - name: Post GitHub workflow output on success
         run: |
-          echo "## :white_check_mark: Spellcheck Passed" >> $GITHUB_STEP_SUMMARY
-          echo "There are no spelling errors in your PR." >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## :white_check_mark: Spellcheck Passed"
+            echo "There are no spelling errors in your PR."
+          } >> "${GITHUB_STEP_SUMMARY}"
 
       - name: Post GitHub comment on failure
         if: failure()
