ci: set workflow permissions (#533)

simonhir · web-flow · commit 61db896b1ade · 2025-05-09T08:12:23.000+02:00
* ci: set permissions

* ci: set permissions fix codeql

* ci: set permissions fix retag-image

* chore(ci): end with newline
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -7,5 +7,7 @@ jobs:
   actionlint:
     name: Run actionlint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: it-at-m/lhm_actions/action-templates/actions/action-actionlint@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
+      - uses: it-at-m/lhm_actions/action-templates/actions/action-actionlint@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
diff --git a/.github/workflows/build-integrations.yml b/.github/workflows/build-integrations.yml
@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       ARTIFACT_NAME: ${{ steps.maven-build-step.outputs.artifact-name }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -24,6 +26,8 @@ jobs:
     if: github.ref_name == 'main'
     needs: build-maven
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     strategy:
       matrix:
         include:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -10,6 +10,9 @@ on:
 jobs:
   codeql:
     uses: it-at-m/.github/.github/workflows/codeql.yml@main
+    permissions:
+      pull-requests: read
+      security-events: write
     with:
       analyze-java: true
       analyze-javascript-typescript-vue: false
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -6,5 +6,7 @@ on:
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: it-at-m/lhm_actions/action-templates/actions/action-dependency-review@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
+      - uses: it-at-m/lhm_actions/action-templates/actions/action-dependency-review@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -7,12 +7,6 @@ on:
       - "docs/**"
       - ".github/workflows/deploy-docs.yml"
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
@@ -22,10 +16,13 @@ concurrency:
 jobs:
   deploy-docs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     steps:
       - id: build-docs
         uses: it-at-m/lhm_actions/action-templates/actions/action-build-docs@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
       - id: deploy-docs
         # Only deploy documentation from the main branch to prevent unauthorized changes
-
-        uses: it-at-m/lhm_actions/action-templates/actions/action-deploy-docs@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
+        uses: it-at-m/lhm_actions/action-templates/actions/action-deploy-docs@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
diff --git a/.github/workflows/dockercompose-healthcheck.yml b/.github/workflows/dockercompose-healthcheck.yml
@@ -8,8 +8,10 @@ jobs:
   docker-compose-healthcheck:
     name: Run docker compose healthcheck
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: it-at-m/lhm_actions/action-templates/actions/action-dockercompose-healthcheck@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
         with:
           skip-exited: true # required for keycloakmigration init container
-          compose-file-path: "./stack/"
+          compose-file-path: "./stack/"
diff --git a/.github/workflows/maven-node-build.yml b/.github/workflows/maven-node-build.yml
@@ -11,6 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     env:
       TZ: Europe/Berlin # timezone
+    permissions:
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/pr-checklist.yml b/.github/workflows/pr-checklist.yml
@@ -7,5 +7,7 @@ on:
 jobs:
   pr-checklist:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: it-at-m/lhm_actions/action-templates/actions/action-pr-checklist@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
+      - uses: it-at-m/lhm_actions/action-templates/actions/action-pr-checklist@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -10,4 +10,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: "Label PR"
-        uses: it-at-m/lhm_actions/action-templates/actions/action-pr-labeler@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
+        uses: it-at-m/lhm_actions/action-templates/actions/action-pr-labeler@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -55,6 +55,8 @@ jobs:
     if: inputs.module == 'refarch-gateway'
     needs: release-maven
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - name: Build and push image
         uses: it-at-m/lhm_actions/action-templates/actions/action-build-image@a7d25dbabec2057695f865169fdc411d475d4667 # v1.0.19
@@ -72,6 +74,8 @@ jobs:
     if: inputs.module == 'refarch-integrations'
     needs: release-maven
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     strategy:
       matrix:
         include:
@@ -94,6 +98,8 @@ jobs:
     if: ${{ !failure() && !cancelled() }}
     needs: ["release-maven", "build-image-gateway", "build-images-integrations"]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Create GitHub Release
         id: create_release
diff --git a/.github/workflows/retag-image.yml b/.github/workflows/retag-image.yml
@@ -20,6 +20,9 @@ on:
 jobs:
   retag-image:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
