add explicit permissions to GitHub Actions workflows (#130)

bluesentinelsec · web-flow · commit 30f9ad0262c0 · 2025-08-27T12:49:40.000-04:00
diff --git a/.github/workflows/build_scan_container.yml b/.github/workflows/build_scan_container.yml
@@ -12,6 +12,11 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+  actions: write  # For uploading artifacts
+
 jobs:
   build:
     name: Build docker image
diff --git a/.github/workflows/example_display_findings.yml b/.github/workflows/example_display_findings.yml
@@ -8,6 +8,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/run_unit_tests.yml b/.github/workflows/run_unit_tests.yml
@@ -7,6 +7,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/scan_repo_with_semgrep.yml b/.github/workflows/scan_repo_with_semgrep.yml
@@ -2,6 +2,9 @@ name: Semgrep Scan
 
 on: [push]
 
+permissions:
+  contents: read
+
 jobs:
   semgrep:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_archive.yml b/.github/workflows/test_archive.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_binary.yml b/.github/workflows/test_binary.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_containers.yml b/.github/workflows/test_containers.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_dockerfile_vulns.yml b/.github/workflows/test_dockerfile_vulns.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_installation.yml b/.github/workflows/test_installation.yml
@@ -11,6 +11,10 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_no_vulns.yml b/.github/workflows/test_no_vulns.yml
@@ -7,6 +7,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_reports_no_vulns.yml b/.github/workflows/test_reports_no_vulns.yml
@@ -5,6 +5,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_repository.yml b/.github/workflows/test_repository.yml
@@ -11,6 +11,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   daily_job:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_vuln_thresholds.yml b/.github/workflows/test_vuln_thresholds.yml
@@ -10,6 +10,10 @@ on:
     branches: #
       - '*'
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     name: Build docker image
