diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml index 12057cd17..d0ed52839 100644 --- a/.github/workflows/benchmark.yaml +++ b/.github/workflows/benchmark.yaml @@ -24,6 +24,10 @@ on: required: false type: string +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + concurrency: group: benchmark-${{ github.ref }} cancel-in-progress: true @@ -31,6 +35,14 @@ concurrency: jobs: benchmark: runs-on: ubuntu-latest + # Override read-all to keep the 'Comment on PR' step working — the + # peter-evans/create-or-update-comment action requires both + # issues:write and pull-requests:write to post benchmark results. + # CodeRabbit PR #39 finding (benchmark.yaml:29). + permissions: + contents: read + issues: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f647ab7ea..14d9f0ac0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,6 +18,10 @@ on: default: false description: "Build for both amd64 and arm64" +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/bypass.yaml b/.github/workflows/bypass.yaml index be81f0260..e57856464 100644 --- a/.github/workflows/bypass.yaml +++ b/.github/workflows/bypass.yaml @@ -2,6 +2,10 @@ name: build on: workflow_dispatch: +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: reset-run-number: runs-on: ubuntu-latest @@ -18,6 +22,13 @@ jobs: pr-merged: needs: reset-run-number + # Scopes the reusable workflow's docker-build / create-release jobs need. + # Mirrors pr-merged.yaml's pr-merged job — required because the top-level + # 'permissions: read-all' caps what the called workflow can request. + permissions: + id-token: write + packages: write + contents: write uses: ./.github/workflows/incluster-comp-pr-merged.yaml with: IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/node-agent diff --git a/.github/workflows/component-tests.yaml b/.github/workflows/component-tests.yaml index c01b09dd8..ce1aa3437 100644 --- a/.github/workflows/component-tests.yaml +++ b/.github/workflows/component-tests.yaml @@ -60,6 +60,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: # ------------------------------------------------------------------- # Detect what changed to decide whether an image rebuild is needed. diff --git a/.github/workflows/go-basic-tests.yaml b/.github/workflows/go-basic-tests.yaml index 0962daa4c..a3e783108 100644 --- a/.github/workflows/go-basic-tests.yaml +++ b/.github/workflows/go-basic-tests.yaml @@ -36,6 +36,10 @@ on: GITGUARDIAN_API_KEY: required: false +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: Check-secret: name: check if secrets are set @@ -72,6 +76,15 @@ jobs: name: Create cross-platform build # needs: [ Setup-Environment ] runs-on: ubuntu-latest + # Override read-all to let github/codeql-action/analyze upload its + # SARIF results — without security-events:write the upload silently + # fails (masked by continue-on-error on the CodeQL steps). + # NOTE: this is a workflow_call reusable, so the caller must ALSO + # grant security-events:write — pr-created.yaml's pr-created job + # already does. CodeRabbit PR #39 finding (go-basic-tests.yaml:41). + permissions: + contents: read + security-events: write env: GITHUB_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} CGO_ENABLED: ${{ inputs.CGO_ENABLED }} diff --git a/.github/workflows/incluster-comp-pr-created.yaml b/.github/workflows/incluster-comp-pr-created.yaml index 53c7c4f7e..1226b0a62 100644 --- a/.github/workflows/incluster-comp-pr-created.yaml +++ b/.github/workflows/incluster-comp-pr-created.yaml @@ -33,6 +33,10 @@ on: GITGUARDIAN_API_KEY: required: false +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: test: permissions: diff --git a/.github/workflows/incluster-comp-pr-merged.yaml b/.github/workflows/incluster-comp-pr-merged.yaml index 831858e43..5ef83da9b 100644 --- a/.github/workflows/incluster-comp-pr-merged.yaml +++ b/.github/workflows/incluster-comp-pr-merged.yaml @@ -60,6 +60,10 @@ on: default: false type: boolean +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: docker-build: if: ${{ ((contains(github.event.pull_request.labels.*.name, 'release') || contains( github.event.pull_request.labels.*.name, 'trigger-integration-test')) && github.repository_owner == 'kubescape') || inputs.FORCE }} diff --git a/.github/workflows/pr-created.yaml b/.github/workflows/pr-created.yaml index 76ad4f3cb..c9a5b5a5e 100644 --- a/.github/workflows/pr-created.yaml +++ b/.github/workflows/pr-created.yaml @@ -11,6 +11,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: pr-created: permissions: diff --git a/.github/workflows/pr-merged.yaml b/.github/workflows/pr-merged.yaml index 1e98658f5..5ac255e7c 100644 --- a/.github/workflows/pr-merged.yaml +++ b/.github/workflows/pr-merged.yaml @@ -10,6 +10,10 @@ on: workflow_dispatch: +# Default to read-only at the workflow level (least privilege per Scorecard). +# Jobs that need elevated scopes override below. +permissions: read-all + jobs: reset-run-number: runs-on: ubuntu-latest