From 1618d0f4908ec8b6be9e377917346f057c17463c Mon Sep 17 00:00:00 2001 From: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Date: Mon, 11 Nov 2024 21:46:43 -0600 Subject: [PATCH] Adjust permission scopes (#898) --- .github/workflows/bicep-build-to-validate.yml | 2 -- .github/workflows/code-review.yml | 3 --- .github/workflows/psdocs-mdtogit.yml | 4 +++- .github/workflows/release.yml | 4 +++- .github/workflows/scheduled-bicep-build.yml | 3 ++- .github/workflows/scorecard.yml | 1 - 6 files changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/bicep-build-to-validate.yml b/.github/workflows/bicep-build-to-validate.yml index 5f4e0bdf..2ccc6118 100644 --- a/.github/workflows/bicep-build-to-validate.yml +++ b/.github/workflows/bicep-build-to-validate.yml @@ -15,7 +15,6 @@ jobs: bicep_unit_tests: name: Bicep Build & Lint All Modules runs-on: ubuntu-latest - steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -117,7 +116,6 @@ jobs: azure_waf: name: Test Azure Well-Architected Framework (PSRule) runs-on: ubuntu-latest - steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml index 7b9e5042..3ce49d10 100644 --- a/.github/workflows/code-review.yml +++ b/.github/workflows/code-review.yml @@ -17,9 +17,7 @@ jobs: statuses: write # for github/super-linter to mark status of each linter run name: Lint code base runs-on: ubuntu-latest - steps: - - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: @@ -51,7 +49,6 @@ jobs: markdown-link-check: name: Markdown Link Check runs-on: ubuntu-latest - steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 diff --git a/.github/workflows/psdocs-mdtogit.yml b/.github/workflows/psdocs-mdtogit.yml index 29623abf..499eb5c1 100644 --- a/.github/workflows/psdocs-mdtogit.yml +++ b/.github/workflows/psdocs-mdtogit.yml @@ -19,11 +19,13 @@ env: github_pr_repo: ${{ github.event.pull_request.head.repo.full_name }} permissions: - contents: write + contents: read jobs: arm_docs: name: Generate Markdown + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Harden Runner diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a1fcecb2..85ff7493 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,11 +9,13 @@ on: - main permissions: - contents: write + contents: read jobs: release: name: Generate Accelerator Release Artifacts + permissions: + contents: write runs-on: ubuntu-latest steps: - name: Harden Runner diff --git a/.github/workflows/scheduled-bicep-build.yml b/.github/workflows/scheduled-bicep-build.yml index 312845f2..a8a2e588 100644 --- a/.github/workflows/scheduled-bicep-build.yml +++ b/.github/workflows/scheduled-bicep-build.yml @@ -2,7 +2,6 @@ name: Unit Tests - Scheduled Bicep Build permissions: contents: read - issues: write on: schedule: @@ -13,6 +12,8 @@ jobs: bicep_unit_tests: name: Bicep Build & Lint All Modules if: github.repository == 'Azure/ALZ-Bicep' + permissions: + issues: write runs-on: ubuntu-latest steps: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 53275609..03a3be02 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -29,7 +29,6 @@ jobs: # Uncomment the permissions below if installing in a private repository. # contents: read # actions: read - steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1