Merge pull request #937 from mattmoor/audit-permissions

Audit the permissions of workflows.

.github/workflows/build.yaml

@@ -1,16 +1,19 @@
 name: ci
 
 on:
-  pull_request:
   push:
-    branches:
-      - 'main'
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
 
 jobs:
   build:
     name: build
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 

.github/workflows/e2e.yaml

@@ -2,9 +2,9 @@ name: e2e melange bootstrap + build
 
 on:
   push:
-    branches:
-      - 'main'
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
 
 env:
   SOURCE_DATE_EPOCH: 1669683910
@@ -14,6 +14,9 @@ jobs:
     name: build examples
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -53,6 +56,9 @@ jobs:
     name: build example on kubernetes
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -90,6 +96,10 @@ jobs:
   bootstrap:
     name: bootstrap package
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     container:
       image: alpine:latest
       options: |

.github/workflows/go-tests.yaml

@@ -2,13 +2,17 @@ name: Go Tests
 
 on:
   push:
-    branches:
-      - main
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
 
 jobs:
   test:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:

.github/workflows/melange-test-pipelines.yaml

@@ -1,16 +1,19 @@
 name: Test melange test command
 
 on:
-  pull_request:
   push:
-    branches:
-      - 'main'
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
 
 jobs:
   build-melange:
     name: Build melange and add to artifact cache
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -36,6 +39,9 @@ jobs:
     # TODO: Set up a larger runner for this.
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     # This is a list of packages which we want to test against.
     # Feel free to add additional packages to this matrix which exercise
     # Melange `test` in new ways (e.g. new pipelines, etc.)

.github/workflows/verify.yaml

@@ -2,15 +2,18 @@ name: verify
 
 on:
   push:
-    branches:
-      - "main"
+    branches: [ "main" ]
   pull_request:
+    branches: [ "main" ]
 
 jobs:
   golangci:
     name: lint
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 

.github/workflows/wolfi-presubmit.yaml

@@ -1,16 +1,19 @@
 name: ci
 
 on:
-  pull_request:
   push:
-    branches:
-      - 'main'
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
 
 jobs:
   build-melange:
     name: Build melange and add to artifact cache
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -36,6 +39,9 @@ jobs:
     # TODO: Set up a larger runner for this.
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     # This is a list of packages which covers basic and exotic uses of
     # the built-in pipelines.  Goal is to balance efficiency while also
     # exercising Melange with real-world package builds.