chore(ci): set default perms to read all

Signed-off-by: daemon1024 <[email protected]>

.github/workflows/ci-latest-helm-chart-release.yaml

@@ -7,6 +7,9 @@ on:
     paths:
       - "deployments/helm/**"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   publish-chart:
     name: Update Stable Helm Chart With Latest Changes

.github/workflows/ci-latest-release.yml

@@ -16,6 +16,9 @@ on:
     branches:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   check:
     name: Check what pkg were updated

.github/workflows/ci-operator-release.yaml

@@ -14,6 +14,8 @@ on:
     branches:
       - "v*"
 
+# Declare default permissions as read only.
+permissions: read-all
 
 env:
   PLATFORM: linux/amd64,linux/arm64/v8

.github/workflows/ci-stable-release.yml

@@ -5,7 +5,9 @@ on:
     branches: [main]
     paths:
       - "STABLE-RELEASE"
-    #  - ".github/workflows/ci-stable-release.yml"
+
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   push-stable-version:

.github/workflows/ci-systemd-release.yml

@@ -5,8 +5,8 @@ on:
     tags:
       - "*"
 
-permissions:
-  contents: write
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   goreleaser:
@@ -33,6 +33,8 @@ jobs:
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v2
+        permissions:
+          contents: write
         with:
           distribution: goreleaser
           version: v1.12.2

.github/workflows/ci-test-controllers.yml

@@ -8,6 +8,9 @@ on:
       - "pkg/**"
       - ".github/workflows/ci-test-controllers.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   kubearmor-controller-test:
     name: Build and Test KubeArmorController Using Ginkgo
@@ -43,7 +46,7 @@ jobs:
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
           make -C tests/k8s_env/
-        timeout-minutes: 20
+        timeout-minutes: 30
 
       - name: Get karmor sysdump
         if: ${{ failure() }}

.github/workflows/ci-test-ginkgo.yml

@@ -19,6 +19,10 @@ on:
       - ".github/workflows/ci-test-ginkgo.yml"
       - "pkg/KubeArmorOperator/**"
       - "deployments/helm/**"
+
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}

.github/workflows/ci-test-go.yml

@@ -18,6 +18,8 @@ on:
       - ".github/workflows/ci-test-go.yml"
       - "pkg/KubeArmorOperator/**"
 
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   go-fmt:

.github/workflows/ci-test-helm-charts.yml

@@ -12,6 +12,9 @@ on:
       - "deployments/helm/**"
       - ".github/workflows/ci-test-helm-charts.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   lint:
     name: Helm Chart Tests / ubuntu 20.04

.github/workflows/ci-test-operator.yaml

@@ -17,6 +17,9 @@ on:
       - "deployments/**"
       - "KubeArmor/utils/**"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   kubearmor-operator-test:
     name: Build KubeArmor Operator

.github/workflows/ci-test-systemd.yml

@@ -16,6 +16,9 @@ on:
       - "protobuf/**"
       - ".github/workflows/ci-test-systemd.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Test KubeArmor in Systemd Mode

.github/workflows/ci-test-ubi-image.yml

@@ -16,6 +16,9 @@ on:
       - "protobuf/**"
       - ".github/workflows/ci-test-ginkgo.yml"
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   build:
     name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}

.github/workflows/codeql.yml

@@ -19,6 +19,9 @@ on:
   schedule:
     - cron: '30 17 * * 5'
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
@@ -28,15 +31,6 @@ jobs:
       # required for all workflows
       security-events: write
 
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'c-cpp', 'go' ]
-
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -45,14 +39,7 @@ jobs:
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v3
       with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-
-        # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
-
+        languages: 'go'
 
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
     # If this step fails, then you should remove it and run the build manually (see below)
@@ -62,4 +49,4 @@ jobs:
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
       with:
-        category: "/language:${{matrix.language}}"
+        category: "/language:go"