diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml index 59eedf58c6b..93073ab1f77 100644 --- a/.github/workflows/auto-update.yml +++ b/.github/workflows/auto-update.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + contents: write + pull-requests: read + jobs: Auto: name: Auto-update diff --git a/.github/workflows/generate-kubelet-flags.yaml b/.github/workflows/generate-kubelet-flags.yaml index 685d7371df5..f738f2a960c 100644 --- a/.github/workflows/generate-kubelet-flags.yaml +++ b/.github/workflows/generate-kubelet-flags.yaml @@ -2,6 +2,11 @@ name: Generate valid kubelet flags per supported k8s version on: workflow_dispatch: {} +# The push + PR creation steps below explicitly use secrets.PERSONAL_ACCESS_TOKEN, +# so the default GITHUB_TOKEN does not need write scopes here. +permissions: + contents: read + jobs: generate-kubelet-flags: runs-on: ubuntu-24.04 diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index 28fda49471d..248cb6c51fe 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -1,6 +1,9 @@ name: Go Unit Tests on: pull_request +permissions: + contents: read + jobs: go-test: runs-on: ubuntu-latest diff --git a/.github/workflows/no-sudo-check.yml b/.github/workflows/no-sudo-check.yml index 1ca5121eb61..86dbd7f8197 100644 --- a/.github/workflows/no-sudo-check.yml +++ b/.github/workflows/no-sudo-check.yml @@ -1,6 +1,9 @@ name: Check for sudo in CSE scripts on: pull_request +permissions: + contents: read + jobs: no-sudo: runs-on: ubuntu-latest diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index f20c43e935c..0358562cb04 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,6 +1,9 @@ name: Lint Shell/Bash Scripts on: pull_request +permissions: + contents: read + jobs: shellcheck: runs-on: ubuntu-latest diff --git a/.github/workflows/shellspec.yaml b/.github/workflows/shellspec.yaml index 851a020ca67..4f264294182 100644 --- a/.github/workflows/shellspec.yaml +++ b/.github/workflows/shellspec.yaml @@ -1,6 +1,9 @@ name: Shell/Bash Script Unit Tests on: pull_request +permissions: + contents: read + jobs: shellspec: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-components.yml b/.github/workflows/validate-components.yml index d48e4c4b2a6..4a92b2a3239 100644 --- a/.github/workflows/validate-components.yml +++ b/.github/workflows/validate-components.yml @@ -1,6 +1,9 @@ name: Validate Components on: pull_request +permissions: + contents: read + jobs: cue: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-image-version.yml b/.github/workflows/validate-image-version.yml index 75d8cf28775..6e630815fdb 100644 --- a/.github/workflows/validate-image-version.yml +++ b/.github/workflows/validate-image-version.yml @@ -1,6 +1,9 @@ name: validate-image-version on: pull_request +permissions: + contents: read + jobs: validate-image-version: runs-on: ubuntu-24.04 diff --git a/.github/workflows/validate-pull-request-source.yml b/.github/workflows/validate-pull-request-source.yml index ad276ccd796..832a06a51c7 100644 --- a/.github/workflows/validate-pull-request-source.yml +++ b/.github/workflows/validate-pull-request-source.yml @@ -1,6 +1,9 @@ name: validate-pull-request-source on: pull_request +# This workflow only reads pull_request event metadata; no checkout, no API calls. +permissions: {} + jobs: validate-pull-request-source: runs-on: ubuntu-24.04 diff --git a/.github/workflows/validate-windows-binary-signature.yaml b/.github/workflows/validate-windows-binary-signature.yaml index 6bbd2cf8da5..91d7d6e6708 100644 --- a/.github/workflows/validate-windows-binary-signature.yaml +++ b/.github/workflows/validate-windows-binary-signature.yaml @@ -10,6 +10,9 @@ on: - 'vhdbuilder/packer/windows/windows_settings.json' - 'vhdbuilder/packer/windows/components_json_helpers.ps1' +permissions: + contents: read + jobs: check-files-for-ws2022: name: Check for Windows 2022 diff --git a/.github/workflows/validate-windows-ut.yml b/.github/workflows/validate-windows-ut.yml index 69b1a896b64..f9bf7ac5520 100644 --- a/.github/workflows/validate-windows-ut.yml +++ b/.github/workflows/validate-windows-ut.yml @@ -5,6 +5,9 @@ on: pull_request # stored in WSL. So you'll need to change directory to whereever you have the repo checked out in WSL. Something like this: # cd \\wsl$\Ubuntu\home\tim\git\AgentBaker +permissions: + contents: read + jobs: pester-test: name: Pester test