Ensure that the project’s automated workflows tokens are set to read-only by default (#37643)

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com> Closes #33544
2026-05-28 04:13:22 -04:00 · 2025-03-17 11:48:37 -03:00 · 2025-03-17 11:48:37 -03:00 · 21c903e562
commit 21c903e562
parent 7aa5130628
13 changed files with 60 additions and 8 deletions
--- a/.github/workflows/aurora-delete.yml
+++ b/.github/workflows/aurora-delete.yml
@ -12,6 +12,9 @@ on:
        type: string
        required: true

+permissions:
+  contents: read
+
 jobs:
  delete:
    name: Delete Aurora DB
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -22,6 +22,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:

  conditional:
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -22,8 +22,10 @@ defaults:
  run:
    shell: bash

-jobs:
+permissions:
+  contents: read

+jobs:
  conditional:
    name: Check conditional workflows and jobs
    runs-on: ubuntu-latest
@ -43,6 +45,8 @@ jobs:
    name: CodeQL Java
    needs: conditional
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
    if: needs.conditional.outputs.java == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}
@ -69,6 +73,8 @@ jobs:
    name: CodeQL JavaScript
    needs: conditional
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
    if: needs.conditional.outputs.javascript == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}
@ -94,6 +100,8 @@ jobs:
    name: CodeQL TypeScript
    needs: conditional
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write  # Required for SARIF upload
    if: needs.conditional.outputs.typescript == 'true'
    outputs:
      conclusion: ${{ steps.check.outputs.conclusion }}
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@ -21,6 +21,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+  
 jobs:

  conditional:
--- a/.github/workflows/guides.yml
+++ b/.github/workflows/guides.yml
@ -21,6 +21,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:

  conditional:
--- a/.github/workflows/js-ci.yml
+++ b/.github/workflows/js-ci.yml
@ -22,6 +22,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:
  conditional:
    name: Check conditional workflows and jobs
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@ -3,14 +3,15 @@ on:
  pull_request_target:
    types: closed

+permissions:
+  contents: read
+  
 jobs:
  label:

    runs-on: ubuntu-latest
    permissions:
-      contents: read
-      issues: write
-
+      issues: write # Required to add labels to Issues
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/operator-ci.yml
+++ b/.github/workflows/operator-ci.yml
@ -23,6 +23,9 @@ concurrency:
  group: operator-ci-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:

  conditional:
--- a/.github/workflows/quarkus-next.yml
+++ b/.github/workflows/quarkus-next.yml
@ -14,12 +14,16 @@ concurrency:
  group: quarkus-next-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+  
 jobs:
  update-quarkus-next-branch:
    name: Update quarkus-next branch
    if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
    runs-on: ubuntu-latest
-
+    permissions:
+      contents: write # Required to push changes to the repository
    steps:
      - uses: actions/checkout@v4
        with:
@ -42,6 +46,8 @@ jobs:
  run-matrix-with-quarkus-next:
    name: Run workflow matrix with the quarkus-next branch
    runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
    needs:
      - update-quarkus-next-branch

--- a/.github/workflows/schedule-nightly.yml
+++ b/.github/workflows/schedule-nightly.yml
@ -5,11 +5,15 @@ on:
    - cron: '0 0 * * *'
  workflow_dispatch:

-jobs:
+permissions:
+  contents: read

+jobs:
  setup:
    if: github.event_name != 'schedule' || github.repository == 'keycloak/keycloak'
    runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
    outputs:
      latest-release-branch: ${{ steps.latest-release.outputs.branch }}
    steps:
@ -24,8 +28,9 @@ jobs:
  run-default-branch:
    name: Run default branch
    runs-on: ubuntu-latest
+    permissions:
+      actions: write # Required to trigger workflows using gh
    needs: setup
-
    strategy:
      matrix:
        workflow:
@ -47,7 +52,8 @@ jobs:
    name: Run latest release branch
    needs: setup
    runs-on: ubuntu-latest
-
+    permissions:
+      actions: write # Required to trigger workflows using gh
    strategy:
      matrix:
        workflow:
--- a/.github/workflows/snyk-analysis.yml
+++ b/.github/workflows/snyk-analysis.yml
@ -10,11 +10,16 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+
 jobs:
  analysis:
    name: Analysis of Quarkus and Operator
    runs-on: ubuntu-latest
    if: github.repository == 'keycloak/keycloak'
+    permissions:
+      security-events: write # Required for SARIF uploads
    steps:
      - uses: actions/checkout@v4

--- a/.github/workflows/trivy-analysis.yml
+++ b/.github/workflows/trivy-analysis.yml
@ -7,6 +7,9 @@ defaults:
  run:
    shell: bash

+permissions:
+  contents: read
+  
 jobs:

  analysis:
@ -17,6 +20,8 @@ jobs:
      matrix:
        container: [keycloak, keycloak-operator]
      fail-fast: false
+    permissions:
+      security-events: write # Required for SARIF uploads
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
--- a/.github/workflows/weblate.yml
+++ b/.github/workflows/weblate.yml
@ -22,6 +22,9 @@ concurrency:
  group: weblate-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+  
 jobs:
  update-weblate:
    name: Trigger Weblate to pull the latest changes