diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 4cefedd..b341723 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -7,11 +7,13 @@ on: - "bugfix/**" - "hotfix/**" -permissions: - contents: read +permissions: read-all + jobs: build-and-test: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: frasermolyneux/actions/dotnet-ci@dotnet-ci/v1.1 @@ -19,4 +21,4 @@ jobs: dotnet-version: | 9.0.x 10.0.x - src-folder: "src" + src-folder: "src" \ No newline at end of file diff --git a/.github/workflows/codequality.yml b/.github/workflows/codequality.yml index 422d9b4..32d8cfb 100644 --- a/.github/workflows/codequality.yml +++ b/.github/workflows/codequality.yml @@ -11,13 +11,15 @@ on: - main types: [opened, synchronize, reopened, ready_for_review] -permissions: - contents: read - actions: read - security-events: write +permissions: read-all + jobs: quality: + permissions: + contents: read + actions: read + security-events: write uses: frasermolyneux/actions/.github/workflows/codequality.yml@main with: sonar-project-key: frasermolyneux_api-client-abstractions @@ -31,14 +33,22 @@ jobs: secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + devops-secure-scanning: + permissions: + contents: read + actions: read + security-events: write + uses: frasermolyneux/actions/.github/workflows/devops-secure-scanning.yml@main + dependency-review: - if: github.event_name == 'pull_request' - runs-on: ubuntu-latest permissions: contents: read pull-requests: read + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest steps: - name: Checkout repository uses: actions/checkout@v6 - name: Dependency Review uses: actions/dependency-review-action@v4 + diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 9562c3e..954e278 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -11,6 +11,8 @@ on: paths: - .github/workflows/copilot-setup-steps.yml +permissions: read-all + jobs: # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot. copilot-setup-steps: diff --git a/.github/workflows/dependabot-automerge.yml b/.github/workflows/dependabot-automerge.yml index 49fd369..f8ec9fe 100644 --- a/.github/workflows/dependabot-automerge.yml +++ b/.github/workflows/dependabot-automerge.yml @@ -1,12 +1,15 @@ name: Dependabot Auto-Merge on: pull_request -permissions: - contents: write - pull-requests: write + +permissions: read-all + jobs: dependabot: + permissions: + contents: write + pull-requests: write runs-on: ubuntu-latest if: ${{ github.actor == 'dependabot[bot]' }} steps: @@ -19,4 +22,4 @@ jobs: run: gh pr merge --auto --merge "$PR_URL" env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file diff --git a/.github/workflows/pr-verify.yml b/.github/workflows/pr-verify.yml index 0a1a09a..2035d56 100644 --- a/.github/workflows/pr-verify.yml +++ b/.github/workflows/pr-verify.yml @@ -6,11 +6,13 @@ on: - main types: [opened, synchronize, reopened, ready_for_review] -permissions: - contents: read +permissions: read-all + jobs: build-and-test: + permissions: + contents: read if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: @@ -19,4 +21,4 @@ jobs: dotnet-version: | 9.0.x 10.0.x - src-folder: "src" + src-folder: "src" \ No newline at end of file diff --git a/.github/workflows/release-publish-nuget.yml b/.github/workflows/release-publish-nuget.yml index 4ee6592..dec8556 100644 --- a/.github/workflows/release-publish-nuget.yml +++ b/.github/workflows/release-publish-nuget.yml @@ -7,12 +7,15 @@ on: types: - completed -permissions: - contents: write - actions: read + +permissions: read-all + jobs: publish-nuget-packages: + permissions: + contents: write + actions: read if: ${{ github.event.workflow_run.conclusion == 'success' }} environment: NuGet runs-on: ubuntu-latest @@ -61,4 +64,4 @@ jobs: skipIfReleaseExists: true artifacts: nuget-packages/**/*.nupkg artifactErrorsFailBuild: false - token: ${{ secrets.GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release-version-and-tag.yml b/.github/workflows/release-version-and-tag.yml index 23d65d6..be14aa4 100644 --- a/.github/workflows/release-version-and-tag.yml +++ b/.github/workflows/release-version-and-tag.yml @@ -8,11 +8,14 @@ on: paths: - 'src/**' -permissions: - contents: read + +permissions: read-all + jobs: calculate-version: + permissions: + contents: read runs-on: ubuntu-latest outputs: semver: ${{ steps.capture_version.outputs.semver }} @@ -74,6 +77,8 @@ jobs: "tag_name=$tagName" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf8 -Append dotnet-ci: + permissions: + contents: read needs: calculate-version runs-on: ubuntu-latest env: @@ -88,13 +93,13 @@ jobs: src-folder: "src" tag-release: + permissions: + contents: write needs: - calculate-version - dotnet-ci if: needs.calculate-version.outputs.should_tag == 'true' runs-on: ubuntu-latest - permissions: - contents: write steps: - name: Checkout repository @@ -112,4 +117,4 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} shell: pwsh run: | - git push origin ${{ needs.calculate-version.outputs.tag_name }} + git push origin ${{ needs.calculate-version.outputs.tag_name }} \ No newline at end of file