Adjust permission scopes (#898)

2024-11-11 21:46:43 -06:00 · 2024-11-11 21:46:43 -06:00 · 1618d0f490
--- a/.github/workflows/bicep-build-to-validate.yml
+++ b/.github/workflows/bicep-build-to-validate.yml
@ -15,7 +15,6 @@ jobs:
  bicep_unit_tests:
    name: Bicep Build & Lint All Modules
    runs-on: ubuntu-latest
-
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@ -117,7 +116,6 @@ jobs:
  azure_waf:
    name: Test Azure Well-Architected Framework (PSRule)
    runs-on: ubuntu-latest
-
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@ -17,9 +17,7 @@ jobs:
      statuses: write  # for github/super-linter to mark status of each linter run
    name: Lint code base
    runs-on: ubuntu-latest
-
    steps:
-
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
@ -51,7 +49,6 @@ jobs:
  markdown-link-check:
    name: Markdown Link Check
    runs-on: ubuntu-latest
-
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
--- a/.github/workflows/psdocs-mdtogit.yml
+++ b/.github/workflows/psdocs-mdtogit.yml
@ -19,11 +19,13 @@ env:
  github_pr_repo: ${{ github.event.pull_request.head.repo.full_name }}

 permissions:
-  contents: write
+  contents: read

 jobs:
  arm_docs:
    name: Generate Markdown
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -9,11 +9,13 @@ on:
      - main

 permissions:
-  contents: write
+  contents: read

 jobs:
  release:
    name: Generate Accelerator Release Artifacts
+    permissions:
+      contents: write
    runs-on: ubuntu-latest
    steps:
    - name: Harden Runner
--- a/.github/workflows/scheduled-bicep-build.yml
+++ b/.github/workflows/scheduled-bicep-build.yml
@ -2,7 +2,6 @@ name: Unit Tests - Scheduled Bicep Build

 permissions:
  contents: read
-  issues: write

 on:
  schedule:
@ -13,6 +12,8 @@ jobs:
  bicep_unit_tests:
    name: Bicep Build & Lint All Modules
    if: github.repository == 'Azure/ALZ-Bicep'
+    permissions:
+      issues: write
    runs-on: ubuntu-latest

    steps:
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -29,7 +29,6 @@ jobs:
      # Uncomment the permissions below if installing in a private repository.
      # contents: read
      # actions: read
-
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1