From 7a7c2652cccb1167fea3e8e6cf2adac23d879a81 Mon Sep 17 00:00:00 2001 From: Peter Ovchyn Date: Sun, 13 Apr 2025 14:03:18 +0200 Subject: [PATCH 1/3] Explicit permissions to GitHub workflow Added a permissions block to the code-quality.yml workflow that limits the workflow's access to only what it needs: - Read access to repository contents - Write access to security events for scan results This follows the principle of least privilege and improves overall security. --- .github/workflows/code-quality.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index 5caa2552..8679628e 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -4,6 +4,11 @@ on: pull_request: types: [synchronize, opened, reopened] +# Add permissions block to limit workflow access +permissions: + contents: read + security-events: write + jobs: docker-lint: runs-on: ubuntu-latest From 1c164a21c5ececf852dec2a83e3c9868f19d4127 Mon Sep 17 00:00:00 2001 From: Peter Ovchyn Date: Sun, 13 Apr 2025 14:10:25 +0200 Subject: [PATCH 2/3] Add pull-requests write permission to GitHub workflow --- .github/workflows/code-quality.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index 8679628e..74004097 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -8,6 +8,7 @@ on: permissions: contents: read security-events: write + pull-requests: write jobs: docker-lint: From 321671c80920f05105db59df8ab5217c75a4c102 Mon Sep 17 00:00:00 2001 From: Peter Ovchyn Date: Sun, 13 Apr 2025 14:17:30 +0200 Subject: [PATCH 3/3] Apply job-specific permissions to enhance GitHub Actions security --- .github/workflows/code-quality.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/code-quality.yml b/.github/workflows/code-quality.yml index 74004097..2575e94b 100644 --- a/.github/workflows/code-quality.yml +++ b/.github/workflows/code-quality.yml @@ -4,11 +4,10 @@ on: pull_request: types: [synchronize, opened, reopened] -# Add permissions block to limit workflow access + +# Set minimum permissions by default permissions: contents: read - security-events: write - pull-requests: write jobs: docker-lint: @@ -26,6 +25,10 @@ jobs: security-scan: runs-on: ubuntu-latest timeout-minutes: 15 + # Specify permissions needed for this job + permissions: + security-events: write + pull-requests: write steps: - name: Checkout repository uses: actions/checkout@v4