From 11cf5b2eb5d5ba089bb0e51fa6db7598007bdfb9 Mon Sep 17 00:00:00 2001
From: Connor Catlett <conncatl@amazon.com>
Date: Thu, 12 Sep 2024 18:12:27 +0000
Subject: [PATCH] Add permissions to all GitHub actions

Signed-off-by: Connor Catlett <conncatl@amazon.com>
---
 .github/workflows/generate-code-coverage.yaml | 5 +++++
 .github/workflows/govulncheck.yaml            | 4 ++++
 .github/workflows/helm-chart-release.yaml     | 4 ++++
 .github/workflows/output-code-coverage.yaml   | 4 ++++
 .github/workflows/release.yaml                | 4 ++++
 .github/workflows/trivy-containers.yaml       | 4 ++++
 .github/workflows/trivy.yaml                  | 4 ++++
 .github/workflows/unit-tests.yaml             | 3 +++
 8 files changed, 32 insertions(+)

diff --git a/.github/workflows/generate-code-coverage.yaml b/.github/workflows/generate-code-coverage.yaml
index 9ac03b674..fbc5240a1 100644
--- a/.github/workflows/generate-code-coverage.yaml
+++ b/.github/workflows/generate-code-coverage.yaml
@@ -14,6 +14,11 @@
 
 name: Generate Code Coverage
 on: [pull_request]
+
+permissions:
+  contents: read
+# upload-artifact does not need write permissions as it relies on an undocumented token
+# https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436
   
 jobs:
   cover-base:
diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml
index 033e659be..1cc9bcb14 100644
--- a/.github/workflows/govulncheck.yaml
+++ b/.github/workflows/govulncheck.yaml
@@ -17,6 +17,10 @@ on:
   pull_request:
     branches:
       - 'release-*'
+
+permissions:
+  contents: read
+
 jobs:
   govulncheck:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/helm-chart-release.yaml b/.github/workflows/helm-chart-release.yaml
index 78e6ab96e..209859475 100644
--- a/.github/workflows/helm-chart-release.yaml
+++ b/.github/workflows/helm-chart-release.yaml
@@ -21,6 +21,10 @@ on:
     paths:
       - "charts/**/Chart.yaml"
 
+permissions:
+  contents: write # Create new release to host chart artifacts
+  pages: write # Publish chart to pages
+
 jobs:
   release:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/output-code-coverage.yaml b/.github/workflows/output-code-coverage.yaml
index 7411d0fd8..69125620f 100644
--- a/.github/workflows/output-code-coverage.yaml
+++ b/.github/workflows/output-code-coverage.yaml
@@ -17,6 +17,10 @@ on:
   workflow_run:
     workflows: [Generate Code Coverage]
     types: [completed]
+
+permissions:
+  contents: read
+  pull-requests: write # Create/update comment on PRs
   
 jobs:
   output-code-coverage:
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 49fa87786..a62094571 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -18,6 +18,10 @@ on:
     # Sequence of patterns matched against refs/tags
     tags:
       - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
+
+permissions:
+  contents: write # Create releases
+
 jobs:
   build:
     name: Release
diff --git a/.github/workflows/trivy-containers.yaml b/.github/workflows/trivy-containers.yaml
index ca024e77b..4914f320e 100644
--- a/.github/workflows/trivy-containers.yaml
+++ b/.github/workflows/trivy-containers.yaml
@@ -20,6 +20,10 @@ on:
   schedule:
     - cron: '0 */24 * * *'
 
+permissions:
+  contents: read
+  security-events: write # Update findings in security tab
+
 jobs:
   build-matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
index e5a40300e..4b32fccc0 100644
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -18,6 +18,10 @@ on:
     branches:
       - master
   pull_request:
+
+permissions:
+  contents: read
+  security-events: write # Update findings in security tab
   
 jobs:
   build:
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
index 123a2b8c3..e3d8dcc97 100644
--- a/.github/workflows/unit-tests.yaml
+++ b/.github/workflows/unit-tests.yaml
@@ -18,6 +18,9 @@ on:
     branches:
       - master
   pull_request:
+
+permissions:
+  contents: read
   
 jobs:
   buildx: