From d3bd21cf8aab6ba93669c0f2647703b16029564d Mon Sep 17 00:00:00 2001
From: Bernd Schorgers <me@bjw-s.dev>
Date: Thu, 24 Apr 2025 08:03:41 +0200
Subject: [PATCH] ci: Set workflow permissions

---
 .github/workflows/chart-release-steps.yaml |  3 +++
 .github/workflows/charts-lint.yaml         |  3 +++
 .github/workflows/charts-release.yaml      | 13 +++++++++++++
 .github/workflows/charts-test.yaml         |  5 ++++-
 .github/workflows/docs-release.yaml        |  4 +++-
 5 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/chart-release-steps.yaml b/.github/workflows/chart-release-steps.yaml
index 18006d3f..b893cf99 100644
--- a/.github/workflows/chart-release-steps.yaml
+++ b/.github/workflows/chart-release-steps.yaml
@@ -41,6 +41,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   release-chart:
     name: Release chart
diff --git a/.github/workflows/charts-lint.yaml b/.github/workflows/charts-lint.yaml
index 38175a2e..de6f2e92 100644
--- a/.github/workflows/charts-lint.yaml
+++ b/.github/workflows/charts-lint.yaml
@@ -17,6 +17,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   validate-required-changes:
     name: Validate required changes
diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml
index 0f996235..2f56268e 100644
--- a/.github/workflows/charts-release.yaml
+++ b/.github/workflows/charts-release.yaml
@@ -17,6 +17,9 @@ on:
     paths:
       - "charts/**"
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare data required for workflow
@@ -127,6 +130,11 @@ jobs:
         chart: ${{ fromJSON(needs.prepare.outputs.libraryChartsToRelease) }}
       fail-fast: false
       max-parallel: 1
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
+      packages: write
     uses: ./.github/workflows/chart-release-steps.yaml
     with:
       chart: ${{ matrix.chart }}
@@ -151,6 +159,11 @@ jobs:
         chart: ${{ fromJSON(needs.prepare.outputs.otherChartsToRelease) }}
       fail-fast: false
       max-parallel: 1
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
+      packages: write
     uses: ./.github/workflows/chart-release-steps.yaml
     with:
       chart: ${{ matrix.chart }}
diff --git a/.github/workflows/charts-test.yaml b/.github/workflows/charts-test.yaml
index 65c3d127..545a79f8 100644
--- a/.github/workflows/charts-test.yaml
+++ b/.github/workflows/charts-test.yaml
@@ -17,6 +17,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   install-chart:
     name: Install chart
@@ -60,7 +63,7 @@ jobs:
           python-version: "3.11"
 
       - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0
 
       - name: Create k3d cluster
         uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
diff --git a/.github/workflows/docs-release.yaml b/.github/workflows/docs-release.yaml
index d321b070..ee4d4a4b 100644
--- a/.github/workflows/docs-release.yaml
+++ b/.github/workflows/docs-release.yaml
@@ -11,7 +11,7 @@ on:
       - "docs/**"
 
 permissions:
-  contents: write
+  contents: read
 
 jobs:
   release-docs:
@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-22.04
     concurrency:
       group: ${{ github.workflow }}-${{ github.ref }}
+    permissions:
+      contents: write
     steps:
       - name: Generate Token
         uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2