From 61c6bd5acef1313cdcc707dbd8b9cede6bf672f6 Mon Sep 17 00:00:00 2001
From: Bruno Oliveira da Silva <bruno@abstractj.com>
Date: Fri, 4 Oct 2024 09:17:35 -0300
Subject: [PATCH] Apply the principle of least privilege for GitHub workflows
 (#33534)

Closes #33544

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
---
 .github/workflows/aurora-delete.yml    | 3 +++
 .github/workflows/ci.yml               | 3 +++
 .github/workflows/codeql-analysis.yml  | 3 +++
 .github/workflows/documentation.yml    | 5 ++++-
 .github/workflows/guides.yml           | 3 +++
 .github/workflows/js-ci.yml            | 3 +++
 .github/workflows/label.yml            | 3 +++
 .github/workflows/operator-ci.yml      | 3 +++
 .github/workflows/quarkus-next.yml     | 3 +++
 .github/workflows/schedule-nightly.yml | 3 +++
 .github/workflows/snyk-analysis.yml    | 3 +++
 .github/workflows/trivy-analysis.yml   | 3 +++
 .github/workflows/weblate.yml          | 3 +++
 13 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/aurora-delete.yml b/.github/workflows/aurora-delete.yml
index a2759dda6bc..db0ed1a4656 100644
--- a/.github/workflows/aurora-delete.yml
+++ b/.github/workflows/aurora-delete.yml
@@ -12,6 +12,9 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   delete:
     name: Delete Aurora DB
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index afa797e7164..adf98776397 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,6 +22,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index b51c2bb5620..d68a0ce2296 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -22,6 +22,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
index 1843f08d6e7..e9e9830b2a2 100644
--- a/.github/workflows/documentation.yml
+++ b/.github/workflows/documentation.yml
@@ -21,6 +21,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+  
 jobs:
 
   conditional:
@@ -99,4 +102,4 @@ jobs:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/status-check
         with:
-          jobs: ${{ toJSON(needs) }}
\ No newline at end of file
+          jobs: ${{ toJSON(needs) }}
diff --git a/.github/workflows/guides.yml b/.github/workflows/guides.yml
index 720398a37e5..76c27fe4af3 100644
--- a/.github/workflows/guides.yml
+++ b/.github/workflows/guides.yml
@@ -21,6 +21,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
diff --git a/.github/workflows/js-ci.yml b/.github/workflows/js-ci.yml
index f48ae5abf62..64beb1ba5f4 100644
--- a/.github/workflows/js-ci.yml
+++ b/.github/workflows/js-ci.yml
@@ -21,6 +21,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   conditional:
     name: Check conditional workflows and jobs
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index 92be95950bb..1426a7786b0 100644
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -3,6 +3,9 @@ on:
   pull_request_target:
     types: closed
 
+permissions:
+  contents: read
+  
 jobs:
   label:
 
diff --git a/.github/workflows/operator-ci.yml b/.github/workflows/operator-ci.yml
index 732b677d3b1..29384b7ed03 100644
--- a/.github/workflows/operator-ci.yml
+++ b/.github/workflows/operator-ci.yml
@@ -23,6 +23,9 @@ concurrency:
   group: operator-ci-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   conditional:
diff --git a/.github/workflows/quarkus-next.yml b/.github/workflows/quarkus-next.yml
index ec235fbf221..8d88bcc2102 100644
--- a/.github/workflows/quarkus-next.yml
+++ b/.github/workflows/quarkus-next.yml
@@ -14,6 +14,9 @@ concurrency:
   group: quarkus-next-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  
 jobs:
   update-quarkus-next-branch:
     name: Update quarkus-next branch
diff --git a/.github/workflows/schedule-nightly.yml b/.github/workflows/schedule-nightly.yml
index a3c93a62013..d2415087868 100644
--- a/.github/workflows/schedule-nightly.yml
+++ b/.github/workflows/schedule-nightly.yml
@@ -5,6 +5,9 @@ on:
     - cron: '0 0 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
 
   setup:
diff --git a/.github/workflows/snyk-analysis.yml b/.github/workflows/snyk-analysis.yml
index 3f882b7a049..721839e868d 100644
--- a/.github/workflows/snyk-analysis.yml
+++ b/.github/workflows/snyk-analysis.yml
@@ -10,6 +10,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   analysis:
     name: Analysis of Quarkus and Operator
diff --git a/.github/workflows/trivy-analysis.yml b/.github/workflows/trivy-analysis.yml
index f368b899442..15f2517e73b 100644
--- a/.github/workflows/trivy-analysis.yml
+++ b/.github/workflows/trivy-analysis.yml
@@ -7,6 +7,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+  
 jobs:
 
   analysis:
diff --git a/.github/workflows/weblate.yml b/.github/workflows/weblate.yml
index 98c5de4c3f6..ba569f04e72 100644
--- a/.github/workflows/weblate.yml
+++ b/.github/workflows/weblate.yml
@@ -22,6 +22,9 @@ concurrency:
   group: weblate-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  
 jobs:
   update-weblate:
     name: Trigger Weblate to pull the latest changes