From aa1bb16b2ccea7434c818d73ed8bddc7dae9f5e7 Mon Sep 17 00:00:00 2001 From: arpitjain099 Date: Wed, 13 May 2026 10:40:12 +0000 Subject: [PATCH] ci: declare least-privilege permissions on the remaining 11 workflows Most of these workflows just run lint/test/validate steps on pull requests, so contents: read is sufficient and matches the top-level style already used in golangci-lint.yml, hotfix-generate.yml, and tidy.yaml. Special cases: - auto-update.yml uses tibdex/auto-update with GITHUB_TOKEN to refresh PR branches against main, so it needs contents: write + pull-requests: read. - generate-kubelet-flags.yaml does a manual push + PR via secrets.PERSONAL_ACCESS_TOKEN, not the default GITHUB_TOKEN, so contents: read is enough for the default token. A comment was added explaining the chosen scope. - validate-pull-request-source.yml has no checkout and makes no API calls; permissions: {} (deny all) covers it. YAML validated locally with yaml.safe_load for each edited file. Signed-off-by: Arpit Jain --- .github/workflows/auto-update.yml | 4 ++++ .github/workflows/generate-kubelet-flags.yaml | 5 +++++ .github/workflows/go-test.yml | 3 +++ .github/workflows/no-sudo-check.yml | 3 +++ .github/workflows/shellcheck.yml | 3 +++ .github/workflows/shellspec.yaml | 3 +++ .github/workflows/validate-components.yml | 3 +++ .github/workflows/validate-image-version.yml | 3 +++ .github/workflows/validate-pull-request-source.yml | 3 +++ .github/workflows/validate-windows-binary-signature.yaml | 3 +++ .github/workflows/validate-windows-ut.yml | 3 +++ 11 files changed, 36 insertions(+) diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml index 59eedf58c6b..93073ab1f77 100644 --- a/.github/workflows/auto-update.yml +++ b/.github/workflows/auto-update.yml @@ -6,6 +6,10 @@ on: branches: - main +permissions: + contents: write + pull-requests: read + jobs: Auto: name: Auto-update diff --git a/.github/workflows/generate-kubelet-flags.yaml b/.github/workflows/generate-kubelet-flags.yaml index 685d7371df5..f738f2a960c 100644 --- a/.github/workflows/generate-kubelet-flags.yaml +++ b/.github/workflows/generate-kubelet-flags.yaml @@ -2,6 +2,11 @@ name: Generate valid kubelet flags per supported k8s version on: workflow_dispatch: {} +# The push + PR creation steps below explicitly use secrets.PERSONAL_ACCESS_TOKEN, +# so the default GITHUB_TOKEN does not need write scopes here. +permissions: + contents: read + jobs: generate-kubelet-flags: runs-on: ubuntu-24.04 diff --git a/.github/workflows/go-test.yml b/.github/workflows/go-test.yml index 28fda49471d..248cb6c51fe 100644 --- a/.github/workflows/go-test.yml +++ b/.github/workflows/go-test.yml @@ -1,6 +1,9 @@ name: Go Unit Tests on: pull_request +permissions: + contents: read + jobs: go-test: runs-on: ubuntu-latest diff --git a/.github/workflows/no-sudo-check.yml b/.github/workflows/no-sudo-check.yml index 1ca5121eb61..86dbd7f8197 100644 --- a/.github/workflows/no-sudo-check.yml +++ b/.github/workflows/no-sudo-check.yml @@ -1,6 +1,9 @@ name: Check for sudo in CSE scripts on: pull_request +permissions: + contents: read + jobs: no-sudo: runs-on: ubuntu-latest diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index f20c43e935c..0358562cb04 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,6 +1,9 @@ name: Lint Shell/Bash Scripts on: pull_request +permissions: + contents: read + jobs: shellcheck: runs-on: ubuntu-latest diff --git a/.github/workflows/shellspec.yaml b/.github/workflows/shellspec.yaml index 851a020ca67..4f264294182 100644 --- a/.github/workflows/shellspec.yaml +++ b/.github/workflows/shellspec.yaml @@ -1,6 +1,9 @@ name: Shell/Bash Script Unit Tests on: pull_request +permissions: + contents: read + jobs: shellspec: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-components.yml b/.github/workflows/validate-components.yml index d48e4c4b2a6..4a92b2a3239 100644 --- a/.github/workflows/validate-components.yml +++ b/.github/workflows/validate-components.yml @@ -1,6 +1,9 @@ name: Validate Components on: pull_request +permissions: + contents: read + jobs: cue: runs-on: ubuntu-latest diff --git a/.github/workflows/validate-image-version.yml b/.github/workflows/validate-image-version.yml index 75d8cf28775..6e630815fdb 100644 --- a/.github/workflows/validate-image-version.yml +++ b/.github/workflows/validate-image-version.yml @@ -1,6 +1,9 @@ name: validate-image-version on: pull_request +permissions: + contents: read + jobs: validate-image-version: runs-on: ubuntu-24.04 diff --git a/.github/workflows/validate-pull-request-source.yml b/.github/workflows/validate-pull-request-source.yml index ad276ccd796..832a06a51c7 100644 --- a/.github/workflows/validate-pull-request-source.yml +++ b/.github/workflows/validate-pull-request-source.yml @@ -1,6 +1,9 @@ name: validate-pull-request-source on: pull_request +# This workflow only reads pull_request event metadata; no checkout, no API calls. +permissions: {} + jobs: validate-pull-request-source: runs-on: ubuntu-24.04 diff --git a/.github/workflows/validate-windows-binary-signature.yaml b/.github/workflows/validate-windows-binary-signature.yaml index 6bbd2cf8da5..91d7d6e6708 100644 --- a/.github/workflows/validate-windows-binary-signature.yaml +++ b/.github/workflows/validate-windows-binary-signature.yaml @@ -10,6 +10,9 @@ on: - 'vhdbuilder/packer/windows/windows_settings.json' - 'vhdbuilder/packer/windows/components_json_helpers.ps1' +permissions: + contents: read + jobs: check-files-for-ws2022: name: Check for Windows 2022 diff --git a/.github/workflows/validate-windows-ut.yml b/.github/workflows/validate-windows-ut.yml index 69b1a896b64..f9bf7ac5520 100644 --- a/.github/workflows/validate-windows-ut.yml +++ b/.github/workflows/validate-windows-ut.yml @@ -5,6 +5,9 @@ on: pull_request # stored in WSL. So you'll need to change directory to whereever you have the repo checked out in WSL. Something like this: # cd \\wsl$\Ubuntu\home\tim\git\AgentBaker +permissions: + contents: read + jobs: pester-test: name: Pester test