Add permissions to all workflows

.github/workflows/build-oss.yml

@@ -17,6 +17,9 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-22.04
@@ -179,5 +182,8 @@ jobs:
       tag: ${{ inputs.tag }}
       version: ${{ needs.build.outputs.version }}
       image_digest: ${{ needs.build.outputs.image_digest }}
+    permissions:
+      contents: read
+      actions: read
     secrets: inherit
     if: ${{ inputs.tag != '' }}

.github/workflows/ci.yml

@@ -11,10 +11,6 @@ on:
     branches:
       - main
       - release-*
-    types:
-      - opened
-      - reopened
-      - synchronize
   schedule:
     - cron: "0 4 * * *" # run every day at 04:00 UTC
 
@@ -26,6 +22,9 @@ concurrency:
   group: ${{ github.ref_name }}-ci
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   checks:
     name: Checks and variables
@@ -86,6 +85,8 @@ jobs:
     needs: [checks, unit-tests]
     outputs:
       release-url: ${{ steps.release-notes.outputs.release-url }}
+    permissions:
+      contents: write # for lucacome/draft-release and goreleaser/goreleaser-action to manage releases
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -165,13 +166,16 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Fetch Cached Artifacts
         uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
         with:
           path: ${{ github.workspace }}/dist
           key: nginx-ingress-${{ github.run_id }}-${{ github.run_number }}
+
       - name: Docker Buildx
         uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1
+
       - name: Build Docker Image ${{ matrix.image }}
         uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
         with:
@@ -188,11 +192,13 @@ jobs:
           secrets: |
             ${{ contains(matrix.type, 'plus') && format('"nginx-repo.crt={0}"', secrets.NGINX_CRT) || '' }}
             ${{ contains(matrix.type, 'plus') && format('"nginx-repo.key={0}"', secrets.NGINX_KEY) || '' }}
+
       - name: Deploy Kubernetes
         id: k8s
         run: |
           kind create cluster --name ${{ github.run_id }} --image=kindest/node:v${{ needs.checks.outputs.k8s_latest }} --wait 75s
           kind load docker-image ${{ matrix.type }}:${{ github.sha }} --name ${{ github.run_id }}
+
       - name: Install Chart
         run: >
           helm install
@@ -204,9 +210,11 @@ jobs:
           --set controller.nginxplus=${{ contains(matrix.type, 'plus') && 'true' || 'false' }}
           --wait
         working-directory: ${{ github.workspace }}/deployments/helm-chart
+
       - name: Expose Test Ingresses
         run: |
           kubectl port-forward service/${{ matrix.type }}-nginx-ingress-controller 8080:80 8443:443 &
+
       - name: Test HTTP
         run: |
           counter=0
@@ -217,6 +225,7 @@ jobs:
             fi
             printf '.'; counter=$(($counter+1)); sleep 5;
           done
+
       - name: Test HTTPS
         run: |
           counter=0
@@ -258,8 +267,10 @@ jobs:
 
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Docker Buildx
         uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1
+
       - name: Build Test-Runner Container
         uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
         with:
@@ -281,6 +292,7 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Run Smoke Tests
         id: smoke-tests
         uses: ./.github/actions/smoke-tests
@@ -291,6 +303,7 @@ jobs:
           nginx-crt: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_CRT || secrets.NGINX_CRT }}
           nginx-key: ${{ contains(matrix.images.image, 'nap') && secrets.NGINX_AP_KEY || secrets.NGINX_KEY }}
           azure-ad-secret: ${{ secrets.AZURE_AD_AUTOMATION }}
+
       - name: Upload Test Results
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -314,6 +327,12 @@ jobs:
     with:
       platforms: ${{ matrix.platforms }}
       image: ${{ matrix.image }}
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+      id-token: write
+      packages: write
     secrets: inherit
 
   build-docker-plus:
@@ -335,6 +354,10 @@ jobs:
       image: ${{ matrix.image }}
       target: ${{ matrix.target }}
       release-url: ${{ needs.binaries.outputs.release-url }}
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
     secrets: inherit
 
   build-docker-nap:
@@ -353,13 +376,19 @@ jobs:
       image: ${{ matrix.image }}
       target: ${{ matrix.target }}
       nap_modules: ${{ matrix.nap_modules }}
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
     secrets: inherit
 
   publish-helm:
     name: Package and Publish Helm Chart
     runs-on: ubuntu-22.04
     needs: [checks, helm-tests]
     if: ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') }}
+    permissions:
+      contents: write # for pushing to Helm Charts repository
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

.github/workflows/dependency-review.yml

@@ -1,5 +1,13 @@
 name: "Dependency Review"
-on: [pull_request]
+on:
+  pull_request:
+    branches:
+      - main
+      - release-*
+
+concurrency:
+  group: ${{ github.ref_name }}-deps-review
+  cancel-in-progress: true
 
 permissions:
   contents: read
@@ -8,8 +16,8 @@ jobs:
   dependency-review:
     runs-on: ubuntu-22.04
     permissions:
-      contents: read
-      pull-requests: write
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to post comments
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

.github/workflows/dockerhub-description.yml

@@ -11,6 +11,8 @@ concurrency:
   group: ${{ github.ref_name }}-dockerhub
   cancel-in-progress: true
 
+permissions:
+  contents: read
 
 jobs:
   dockerHubDescription:

.github/workflows/fossa.yml

@@ -5,26 +5,26 @@ on:
     branches:
       - main
     paths-ignore:
-      - 'docs/**'
-      - 'examples/**'
-      - '**.md'
+      - "docs/**"
+      - "examples/**"
+      - "**.md"
 
 concurrency:
   group: ${{ github.ref_name }}-fossa
   cancel-in-progress: true
 
-permissions:  # added using https://github.com/step-security/secure-workflows
+permissions:
   contents: read
 
 jobs:
-
   scan:
     name: Fossa
     runs-on: ubuntu-22.04
     if: ${{ github.event.repository.fork == false }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Scan
         uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1
         with:

.github/workflows/issues.yaml

@@ -4,23 +4,30 @@ on:
   issues:
     types: [opened]
 
+permissions:
+  contents: read
+
 jobs:
   comment:
     name: Issue comment
     if: ${{ !github.event.issue.pull_request }}
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      issues: write # for actions/github-script to create comments
     steps:
       - name: text
         id: controller
         if: contains(github.event.issue.body, 'nginx.ingress.kubernetes.io')
         run: |
           text="\n\n I\'ve parsed the text of your issue and it looks like you might be mixing up the two Ingress Controllers, please take a look at this [page](https://docs.nginx.com/nginx-ingress-controller/intro/nginx-ingress-controllers) to see the differences between \`nginxinc/kubernetes-ingress\` (this repo) and \`kubernetes/ingress-nginx\`."
           echo "text=$text" >> $GITHUB_OUTPUT
+
       - name: Check if Issue author is Org member
         id: membercheck
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          retries: 3
           script: |
             let member
             try {
@@ -35,11 +42,12 @@ jobs:
               member = false
             }
             return member
+
       - name: Send message
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         if: steps.membercheck.outputs.result == 'false'
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
+          retries: 3
           script: |
             github.rest.issues.createComment({
               issue_number: context.issue.number,

.github/workflows/labeler.yml

@@ -9,7 +9,7 @@ jobs:
   triage:
     permissions:
       contents: read
-      pull-requests: write
+      pull-requests: write # for actions/labeler to add labels
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/labeler@4f052778de9a9b80cb16cfb9079b02287285a4cb # v5.0.0-alpha.1

.github/workflows/lint.yml

@@ -5,13 +5,9 @@ on:
     branches:
       - main
     paths-ignore:
-      - 'docs/**'
-      - 'examples/**'
-      - '**.md'
-    types:
-      - opened
-      - reopened
-      - synchronize
+      - "docs/**"
+      - "examples/**"
+      - "**.md"
 
 defaults:
   run:
@@ -21,18 +17,25 @@ concurrency:
   group: ${{ github.ref_name }}-lint
   cancel-in-progress: true
 
-jobs:
+permissions:
+  contents: read
 
+jobs:
   lint:
     name: Lint
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: read # for golangci-lint-action
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Setup Golang Environment
         uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version-file: go.mod
+
       - name: Lint Code
         uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0
         with:
@@ -44,6 +47,7 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - uses: reviewdog/action-actionlint@7485c2136bd093d2317a854c72910eebaee35238 # v1.37.1
         with:
           actionlint_flags: -shellcheck ""
@@ -54,5 +58,6 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
+
       - name: Lint chart
         run: helm lint deployments/helm-chart

.github/workflows/notifications.yml

@@ -15,10 +15,16 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+
 jobs:
   on-failure:
     runs-on: ubuntu-22.04
     if: ${{ github.event.workflow_run.conclusion == 'failure' && github.event.repository.fork == false }}
+    permissions:
+      contents: read
+      actions: read # for 8398a7/action-slack
     steps:
       - name: Data
         uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1