ci: Set workflow permissions

2025-07-04 00:47:04 +02:00 · 2025-04-24 08:03:41 +02:00 · 2025-04-24 08:03:41 +02:00 · d3bd21cf8a
commit d3bd21cf8a
parent 7025193763
5 changed files with 26 additions and 2 deletions
--- a/.github/workflows/chart-release-steps.yaml
+++ b/.github/workflows/chart-release-steps.yaml
@ -41,6 +41,9 @@ on:
        required: false
        type: string

+permissions:
+  contents: read
+
 jobs:
  release-chart:
    name: Release chart
--- a/.github/workflows/charts-lint.yaml
+++ b/.github/workflows/charts-lint.yaml
@ -17,6 +17,9 @@ on:
        required: false
        type: string

+permissions:
+  contents: read
+
 jobs:
  validate-required-changes:
    name: Validate required changes
--- a/.github/workflows/charts-release.yaml
+++ b/.github/workflows/charts-release.yaml
@ -17,6 +17,9 @@ on:
    paths:
      - "charts/**"

+permissions:
+  contents: read
+
 jobs:
  prepare:
    name: Prepare data required for workflow
@ -127,6 +130,11 @@ jobs:
        chart: ${{ fromJSON(needs.prepare.outputs.libraryChartsToRelease) }}
      fail-fast: false
      max-parallel: 1
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
+      packages: write
    uses: ./.github/workflows/chart-release-steps.yaml
    with:
      chart: ${{ matrix.chart }}
@ -151,6 +159,11 @@ jobs:
        chart: ${{ fromJSON(needs.prepare.outputs.otherChartsToRelease) }}
      fail-fast: false
      max-parallel: 1
+    permissions:
+      pages: write
+      id-token: write
+      contents: write
+      packages: write
    uses: ./.github/workflows/chart-release-steps.yaml
    with:
      chart: ${{ matrix.chart }}
--- a/.github/workflows/charts-test.yaml
+++ b/.github/workflows/charts-test.yaml
@ -17,6 +17,9 @@ on:
        required: false
        type: string

+permissions:
+  contents: read
+
 jobs:
  install-chart:
    name: Install chart
@ -60,7 +63,7 @@ jobs:
          python-version: "3.11"

      - name: Set up chart-testing
-        uses: helm/chart-testing-action@v2.6.1
+        uses: helm/chart-testing-action@0d28d3144d3a25ea2cc349d6e59901c4ff469b3b # v2.7.0

      - name: Create k3d cluster
        uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
--- a/.github/workflows/docs-release.yaml
+++ b/.github/workflows/docs-release.yaml
@ -11,7 +11,7 @@ on:
      - "docs/**"

 permissions:
-  contents: write
+  contents: read

 jobs:
  release-docs:
@ -19,6 +19,8 @@ jobs:
    runs-on: ubuntu-22.04
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref }}
+    permissions:
+      contents: write
    steps:
      - name: Generate Token
        uses: actions/create-github-app-token@3ff1caaa28b64c9cc276ce0a02e2ff584f3900c5 # v2.0.2