ci: specify workflow permissions per job

HastD · HastD · commit 30495081b7d4 · 2025-12-01T08:42:39.000-05:00
Also remove some unnecessary permissions:

* The notification job in release-artifacts.yml only needs to read repo
  contents, not write contents and actions.
* All jobs in release.yml except "Create release" and "Update podman.io"
  only need to read repo contents. "Update podman.io" only needs to
  write repo contents and pull requests.
* Likewise, permissions for update-podmanio.yml can be restricted to
  only writing repo contents and pull requests.

Signed-off-by: Daniel Hast &lt;hast.daniel@protonmail.com&gt;
diff --git a/.github/workflows/dev-bump.yml b/.github/workflows/dev-bump.yml
@@ -3,10 +3,16 @@ on:
   push:
     tags:
       - '*'
+
+permissions: {}
+
 jobs:
   bump:
     name: Bump to -dev
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to create and push to a branch
+      pull-requests: write # to read and create pull requests
     steps:
       - uses: actions/checkout@v6
         with:
@@ -77,6 +83,9 @@ jobs:
   mainbump:
     name: Bump on main
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to create and push to a branch
+      pull-requests: write # to read and create pull requests
     env:
       GH_TOKEN: ${{ github.token }}
     steps:
diff --git a/.github/workflows/first_contrib_cert_generator.yml b/.github/workflows/first_contrib_cert_generator.yml
@@ -16,18 +16,18 @@ on:
         description: 'The pull request number'
         required: true
 
-# Permissions needed for this workflow.
-permissions:
-  contents: read  # Write access for certificate storage
-  pull-requests: write  # Write access to comment on PRs
-  actions: read  # Read access for workflow actions
+permissions: {}
 
 jobs:
   screenshot_and_comment:
     # This job runs if the PR was merged or if it's a manual trigger.
     # The logic for first-time contributors is handled in a dedicated step below.
     if: ${{ github.event_name == 'workflow_dispatch' || github.event.pull_request.merged == true }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read  # Write access for certificate storage
+      pull-requests: write  # Write access to comment on PRs
+      actions: read  # Read access for workflow actions
     steps:
       # Step 1: Check if this is the contributor's first merged PR.
       # This step is the source of truth and will control the execution of subsequent steps.
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -3,6 +3,8 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions: {}
+
 jobs:
   triage:
     permissions:
diff --git a/.github/workflows/mac-pkg.yml b/.github/workflows/mac-pkg.yml
@@ -15,12 +15,13 @@ on:
           - "true"  # Must be quoted string, boolean value not supported.
           - "false"
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   build:
     runs-on: macos-latest
+    permissions:
+      contents: write
     env:
       APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
       CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
diff --git a/.github/workflows/machine-os-pr.yml b/.github/workflows/machine-os-pr.yml
@@ -5,6 +5,8 @@ on:
     paths:
       - 'version/rawversion/version.go'
 
+permissions: {}
+
 concurrency:
   # Cancel other in-progress runs on re-pushes
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
diff --git a/.github/workflows/needs-info-labeler.yaml b/.github/workflows/needs-info-labeler.yaml
@@ -3,6 +3,9 @@ on:
   issues:
     types:
       - labeled
+
+permissions: {}
+
 jobs:
   add-comment:
     if: github.event.label.name == 'needs-info'
diff --git a/.github/workflows/release-artifacts.yml b/.github/workflows/release-artifacts.yml
@@ -15,13 +15,14 @@ on:
           - "true"  # Must be quoted string, boolean value not supported.
           - "false"
 
-permissions:
-  contents: write
-  actions: write
+permissions: {}
 
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write
+      actions: write
     steps:
       # If the job fails, these details are all but impossible to observe.yy
       - name: Provide github event JSON for examination
@@ -202,6 +203,8 @@ jobs:
     if: needs.build.outputs.uploaded == 'true'
     runs-on: ubuntu-24.04
     needs: build
+    permissions:
+      contents: read
     steps:
       - name: Format release email
         id: format
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,6 +16,9 @@ on:
           - "true"  # Must be quoted string, boolean value not supported.
           - "false"
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Check
@@ -374,6 +377,9 @@ jobs:
     name: Update podman.io
     uses: ./.github/workflows/update-podmanio.yml
     needs: [check, release]
+    permissions:
+      contents: write # to push to a branch
+      pull-requests: write # to read and create PRs
     if: needs.check.outputs.buildonly == 'false'
     secrets: inherit
     with:
diff --git a/.github/workflows/update-podmanio.yml b/.github/workflows/update-podmanio.yml
@@ -18,10 +18,15 @@ on:
       PODMANBOT_TOKEN:
         required: true
 
+permissions: {}
+
 jobs:
   bump:
     name: Bump
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # to push to a branch
+      pull-requests: write # to read and create PRs
     steps:
       - name: Get version
         id: getversion
diff --git a/.github/workflows/upload-win-installer.yml b/.github/workflows/upload-win-installer.yml
@@ -15,12 +15,13 @@ on:
           - "true"  # Must be quoted string, boolean value not supported.
           - "false"
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   build:
     runs-on: windows-latest
+    permissions:
+      contents: write
     env:
       FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }}
     steps:
