From e16a44bc433dc89e62a45b46fbd5b05e37127a1b Mon Sep 17 00:00:00 2001
From: Heathcliff <heathcliff@heathcliff.eu>
Date: Tue, 7 Jan 2025 16:57:21 +0100
Subject: [PATCH] CI: Fix missing explicit permissions for workflow runs

Signed-off-by: Heathcliff <heathcliff@heathcliff.eu>
---
 .github/workflows/ci.yaml                        | 12 ++++++++++++
 .github/workflows/editorconfig-check.yaml        |  2 ++
 .github/workflows/go-testcover-report.yaml       |  1 +
 .github/workflows/label-check.yaml               |  2 +-
 .github/workflows/link-check.yaml                |  1 +
 .github/workflows/renovate-config-validator.yaml |  2 ++
 .github/workflows/renovate.yaml                  |  2 ++
 7 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 38085d86..ef75392f 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -52,20 +52,28 @@ on:
 jobs:
   lint:
     uses: heathcliff26/ci/.github/workflows/golang-lint.yaml@main
+    permissions:
+      contents: read
 
   unit-tests:
     uses: heathcliff26/ci/.github/workflows/golang-unit-tests.yaml@main
+    permissions:
+      contents: read
     with:
       coveralls: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
 
   validate:
     uses: heathcliff26/ci/.github/workflows/golang-build.yaml@main
+    permissions:
+      contents: read
     with:
       cache: false
       cmd: "make validate"
 
   e2e:
     uses: heathcliff26/ci/.github/workflows/golang-unit-tests.yaml@main
+    permissions:
+      contents: read
     needs:
       - lint
       - unit-tests
@@ -78,6 +86,8 @@ jobs:
 
   build-fleetctl:
     uses: heathcliff26/ci/.github/workflows/golang-build.yaml@main
+    permissions:
+      contents: read
     needs:
       - lint
       - unit-tests
@@ -116,6 +126,8 @@ jobs:
   build-manifests:
     uses: heathcliff26/ci/.github/workflows/golang-build.yaml@main
     if: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }}
+    permissions:
+      contents: read
     needs:
       - validate
     with:
diff --git a/.github/workflows/editorconfig-check.yaml b/.github/workflows/editorconfig-check.yaml
index d23616c7..3c5fc005 100644
--- a/.github/workflows/editorconfig-check.yaml
+++ b/.github/workflows/editorconfig-check.yaml
@@ -13,3 +13,5 @@ on:
 jobs:
   check-editorconfig:
     uses: heathcliff26/ci/.github/workflows/editorconfig-check.yaml@main
+    permissions:
+      contents: read
diff --git a/.github/workflows/go-testcover-report.yaml b/.github/workflows/go-testcover-report.yaml
index 939dc20b..52adb18c 100644
--- a/.github/workflows/go-testcover-report.yaml
+++ b/.github/workflows/go-testcover-report.yaml
@@ -10,5 +10,6 @@ jobs:
   generate-reports:
     uses: heathcliff26/ci/.github/workflows/golang-testcover-report.yaml@main
     secrets: inherit
+    permissions: {}
     with:
       coveralls: true
diff --git a/.github/workflows/label-check.yaml b/.github/workflows/label-check.yaml
index e066dbce..563daefe 100644
--- a/.github/workflows/label-check.yaml
+++ b/.github/workflows/label-check.yaml
@@ -13,6 +13,6 @@ on:
 
 jobs:
   check-labels:
+    uses: heathcliff26/ci/.github/workflows/label-check.yaml@main
     permissions:
       pull-requests: read
-    uses: heathcliff26/ci/.github/workflows/label-check.yaml@main
diff --git a/.github/workflows/link-check.yaml b/.github/workflows/link-check.yaml
index 9bfa3b29..5d80666d 100644
--- a/.github/workflows/link-check.yaml
+++ b/.github/workflows/link-check.yaml
@@ -10,5 +10,6 @@ jobs:
   check-links:
     uses: heathcliff26/ci/.github/workflows/link-check.yaml@main
     secrets: inherit
+    permissions: {}
     with:
       exclude-paths: "vendor"
diff --git a/.github/workflows/renovate-config-validator.yaml b/.github/workflows/renovate-config-validator.yaml
index 60a14b49..a76879c2 100644
--- a/.github/workflows/renovate-config-validator.yaml
+++ b/.github/workflows/renovate-config-validator.yaml
@@ -20,3 +20,5 @@ on:
 jobs:
   validate-renovate-config:
     uses: heathcliff26/ci/.github/workflows/renovate-config-validator.yaml@main
+    permissions:
+      contents: read
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
index 0b6a5e24..5e248a51 100644
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -27,6 +27,7 @@ env:
 jobs:
   prepare:
     runs-on: ubuntu-latest
+    permissions: {}
     outputs:
       dry-run: ${{ steps.config.outputs.dry-run }}
       log-level: "${{ steps.config.outputs.log-level }}"
@@ -40,6 +41,7 @@ jobs:
   renovate:
     needs: prepare
     uses: heathcliff26/ci/.github/workflows/renovate.yaml@main
+    permissions: {}
     with:
       dry-run: ${{ needs.prepare.outputs.dry-run }}
       log-level: "${{ needs.prepare.outputs.log-level }}"