From 018a18850c45f7c95a87acfbd7179451d637fe60 Mon Sep 17 00:00:00 2001 From: Avgustin Marinov Date: Tue, 18 Nov 2025 16:23:30 +0200 Subject: [PATCH] Restrict permissions to github token for workflows (#2821) Signed-off-by: Avgustin Marinov --- .github/workflows/reusable_workflow_license-scan.yaml | 3 +++ .github/workflows/reusable_workflow_tag.yaml | 6 +++--- .github/workflows/reusable_workflow_trivy-scan.yaml | 10 +++++----- .github/workflows/reusable_workflow_verify.yaml | 3 +++ .github/workflows/stale.yaml | 11 ++++++++--- 5 files changed, 22 insertions(+), 11 deletions(-) diff --git a/.github/workflows/reusable_workflow_license-scan.yaml b/.github/workflows/reusable_workflow_license-scan.yaml index 0e3113dc3..1aa86da20 100644 --- a/.github/workflows/reusable_workflow_license-scan.yaml +++ b/.github/workflows/reusable_workflow_license-scan.yaml @@ -16,6 +16,9 @@ on: description: 'GitLab API token for Dash IP lab (needed only if open_tickets is true)' required: false +permissions: + contents: write + jobs: reusable_workflow_license-scan: runs-on: ubuntu-latest diff --git a/.github/workflows/reusable_workflow_tag.yaml b/.github/workflows/reusable_workflow_tag.yaml index 683f889f4..911c28752 100644 --- a/.github/workflows/reusable_workflow_tag.yaml +++ b/.github/workflows/reusable_workflow_tag.yaml @@ -16,13 +16,13 @@ on: description: 'If to override the tag if already exists' default: false +permissions: + contents: write + jobs: tag: runs-on: ubuntu-latest - permissions: - contents: write - steps: - uses: actions/checkout@v5 diff --git a/.github/workflows/reusable_workflow_trivy-scan.yaml b/.github/workflows/reusable_workflow_trivy-scan.yaml index 67c4f66b6..da496dbd9 100644 --- a/.github/workflows/reusable_workflow_trivy-scan.yaml +++ b/.github/workflows/reusable_workflow_trivy-scan.yaml @@ -12,15 +12,15 @@ on: type: boolean default: false +permissions: + contents: read + # needed for trivy scans upload + security-events: write + jobs: trivy-scan: runs-on: ubuntu-latest - permissions: - contents: read - # needed for trivy scans upload - security-events: write - steps: - name: Checkout code uses: actions/checkout@v5 diff --git a/.github/workflows/reusable_workflow_verify.yaml b/.github/workflows/reusable_workflow_verify.yaml index 44e01e58f..63d982a08 100644 --- a/.github/workflows/reusable_workflow_verify.yaml +++ b/.github/workflows/reusable_workflow_verify.yaml @@ -16,6 +16,9 @@ on: default: '' description: 'Properties to pass to Maven command line, e.g. -Djpa.vendor=hibernate' +permissions: + contents: read + jobs: reusable_workflow_verify: runs-on: ubuntu-latest diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index dc4850754..b49d669c7 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -6,6 +6,12 @@ on: schedule: - cron: "0 0 * * *" +permissions: + contents: read + issues: write + # only needed if marking PRs as stale +# pull-requests: write + jobs: stale: # only on original eclipse-hawkbit/hawkbit repo @@ -16,12 +22,11 @@ jobs: - uses: actions/stale@v10 with: repo-token: ${{ secrets.PAT_SECRET }} + # disables automatic marking of issues as stale days-before-stale: -1 days-before-close: 15 stale-issue-label: 'awaiting' close-issue-message: |- There has been no response from the original author so I closed this issue. Please reach out if you have or find the answers we need so that we can investigate further. - only-labels: 'awaiting' - skip-stale-issue-message: 'true' - skip-stale-pr-message: 'true' \ No newline at end of file + only-labels: 'awaiting' \ No newline at end of file