From 4a913bda33a78d615ee59cb5393b3aeeeb4c43c2 Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Fri, 10 Jan 2025 11:34:51 +0100 Subject: [PATCH] Add explicit permissions for all workflow-run workflows Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning --- .github/workflows/additional-ci-image-checks.yml | 2 ++ .github/workflows/additional-prod-image-tests.yml | 2 ++ .github/workflows/automatic-backport.yml | 3 ++- .github/workflows/backport-cli.yml | 3 +++ .github/workflows/basic-tests.yml | 2 ++ .github/workflows/ci-image-build.yml | 2 ++ .github/workflows/ci-image-checks.yml | 3 ++- .github/workflows/finalize-tests.yml | 2 ++ .github/workflows/generate-constraints.yml | 6 ++++++ .github/workflows/helm-tests.yml | 2 ++ .github/workflows/integration-system-tests.yml | 2 ++ .github/workflows/k8s-tests.yml | 2 ++ .github/workflows/news-fragment.yml | 3 ++- .github/workflows/prod-image-build.yml | 3 ++- .github/workflows/prod-image-extra-checks.yml | 2 ++ .github/workflows/push-image-cache.yml | 2 ++ .github/workflows/run-unit-tests.yml | 2 ++ .github/workflows/special-tests.yml | 3 ++- .github/workflows/task-sdk-tests.yml | 3 ++- .github/workflows/test-provider-packages.yml | 2 ++ 20 files changed, 45 insertions(+), 6 deletions(-) diff --git a/.github/workflows/additional-ci-image-checks.yml b/.github/workflows/additional-ci-image-checks.yml index 56cee1697620c..a6b7bdafcb5af 100644 --- a/.github/workflows/additional-ci-image-checks.yml +++ b/.github/workflows/additional-ci-image-checks.yml @@ -84,6 +84,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv to build the image (true/false)" required: true type: string +permissions: + contents: read jobs: # Push early BuildX cache to GitHub Registry in Apache repository, This cache does not wait for all the # tests to complete - it is run very early in the build process for "main" merges in order to refresh diff --git a/.github/workflows/additional-prod-image-tests.yml b/.github/workflows/additional-prod-image-tests.yml index bca5e3a592713..7b55121571471 100644 --- a/.github/workflows/additional-prod-image-tests.yml +++ b/.github/workflows/additional-prod-image-tests.yml @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: prod-image-extra-checks-main: name: PROD image extra checks (main) diff --git a/.github/workflows/automatic-backport.yml b/.github/workflows/automatic-backport.yml index b5b22b7491a9c..4c72401a5d317 100644 --- a/.github/workflows/automatic-backport.yml +++ b/.github/workflows/automatic-backport.yml @@ -21,7 +21,8 @@ on: # yamllint disable-line rule:truthy push: branches: - main - +permissions: + contents: read jobs: get-pr-info: name: "Get PR information" diff --git a/.github/workflows/backport-cli.yml b/.github/workflows/backport-cli.yml index 3706cd65bb01e..53243006137a6 100644 --- a/.github/workflows/backport-cli.yml +++ b/.github/workflows/backport-cli.yml @@ -41,6 +41,9 @@ on: # yamllint disable-line rule:truthy type: string permissions: + # Those permissions are only active for workflow dispatch (only committers can trigger it) and workflow call + # Which is triggered automatically by "automatic-backport" push workflow (only when merging by committer) + # Branch protection prevents from pushing to the "code" branches contents: write pull-requests: write jobs: diff --git a/.github/workflows/basic-tests.yml b/.github/workflows/basic-tests.yml index da803aee31904..847eec3b4ee59 100644 --- a/.github/workflows/basic-tests.yml +++ b/.github/workflows/basic-tests.yml @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv in the image" required: true type: string +permissions: + contents: read jobs: run-breeze-tests: timeout-minutes: 10 diff --git a/.github/workflows/ci-image-build.yml b/.github/workflows/ci-image-build.yml index d15c297d82a00..55bf4e046e23f 100644 --- a/.github/workflows/ci-image-build.yml +++ b/.github/workflows/ci-image-build.yml @@ -96,6 +96,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: build-ci-images: strategy: diff --git a/.github/workflows/ci-image-checks.yml b/.github/workflows/ci-image-checks.yml index 21c857e7bd710..c6784042cec2c 100644 --- a/.github/workflows/ci-image-checks.yml +++ b/.github/workflows/ci-image-checks.yml @@ -108,7 +108,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv to build the image (true/false)" required: true type: string - +permissions: + contents: read jobs: install-pre-commit: timeout-minutes: 5 diff --git a/.github/workflows/finalize-tests.yml b/.github/workflows/finalize-tests.yml index 1d0ac8a600c1d..ac13089caf656 100644 --- a/.github/workflows/finalize-tests.yml +++ b/.github/workflows/finalize-tests.yml @@ -76,6 +76,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to debug resources or not (true/false)" required: true type: string +permissions: + contents: read jobs: update-constraints: runs-on: ${{ fromJSON(inputs.runs-on-as-json-public) }} diff --git a/.github/workflows/generate-constraints.yml b/.github/workflows/generate-constraints.yml index 740310e1cc09b..19592dae295c5 100644 --- a/.github/workflows/generate-constraints.yml +++ b/.github/workflows/generate-constraints.yml @@ -44,6 +44,12 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uvloop (true/false)" required: true type: string +permissions: + # This permission is only active for "canary" builds and PRs from the main repo + # All fork PRs are not allowed to have write permissions and this one is automatically downgraded to read + # Branch protection also prevents from pushing to the "code" branches so we can safely use this one to + # Push constraints to "constraints" branches which are non-code branches and are not protected + contents: write jobs: generate-constraints: permissions: diff --git a/.github/workflows/helm-tests.yml b/.github/workflows/helm-tests.yml index 9dc300c61c0a1..1b4aa19cbe595 100644 --- a/.github/workflows/helm-tests.yml +++ b/.github/workflows/helm-tests.yml @@ -40,6 +40,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uvloop (true/false)" required: true type: string +permissions: + contents: read jobs: tests-helm: timeout-minutes: 80 diff --git a/.github/workflows/integration-system-tests.yml b/.github/workflows/integration-system-tests.yml index f992b726e30df..7c3916d9d19c9 100644 --- a/.github/workflows/integration-system-tests.yml +++ b/.github/workflows/integration-system-tests.yml @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: tests-core-integration: timeout-minutes: 130 diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 6f867af65e9cd..40f73e3c59c66 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -48,6 +48,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to debug resources" required: true type: string +permissions: + contents: read jobs: tests-kubernetes: timeout-minutes: 60 diff --git a/.github/workflows/news-fragment.yml b/.github/workflows/news-fragment.yml index 73e58a0193711..46cb294d7a5b9 100644 --- a/.github/workflows/news-fragment.yml +++ b/.github/workflows/news-fragment.yml @@ -21,7 +21,8 @@ name: CI on: # yamllint disable-line rule:truthy pull_request: types: [labeled, unlabeled, opened, reopened, synchronize] - +permissions: + contents: read jobs: check-news-fragment: name: Check News Fragment diff --git a/.github/workflows/prod-image-build.yml b/.github/workflows/prod-image-build.yml index d90d1910f9336..85b421cade447 100644 --- a/.github/workflows/prod-image-build.yml +++ b/.github/workflows/prod-image-build.yml @@ -116,8 +116,9 @@ on: # yamllint disable-line rule:truthy description: "Whether this is a prod-image build (true/false)" required: true type: string +permissions: + contents: read jobs: - build-prod-packages: name: "Build Airflow and provider packages" timeout-minutes: 10 diff --git a/.github/workflows/prod-image-extra-checks.yml b/.github/workflows/prod-image-extra-checks.yml index f5a4b771436a7..56fa4b2b1a28d 100644 --- a/.github/workflows/prod-image-extra-checks.yml +++ b/.github/workflows/prod-image-extra-checks.yml @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: myssql-client-image: uses: ./.github/workflows/prod-image-build.yml diff --git a/.github/workflows/push-image-cache.yml b/.github/workflows/push-image-cache.yml index b1c9d12754206..86ec3b2a85a86 100644 --- a/.github/workflows/push-image-cache.yml +++ b/.github/workflows/push-image-cache.yml @@ -80,6 +80,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: push-ci-image-cache: name: "Push CI ${{ inputs.cache-type }}:${{ matrix.python }} image cache " diff --git a/.github/workflows/run-unit-tests.yml b/.github/workflows/run-unit-tests.yml index 1c24e659d0979..e67d59ee08d37 100644 --- a/.github/workflows/run-unit-tests.yml +++ b/.github/workflows/run-unit-tests.yml @@ -116,6 +116,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: tests: timeout-minutes: 120 diff --git a/.github/workflows/special-tests.yml b/.github/workflows/special-tests.yml index 36ccbf871cca9..8507294e535c6 100644 --- a/.github/workflows/special-tests.yml +++ b/.github/workflows/special-tests.yml @@ -80,7 +80,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv or not (true/false)" required: true type: string - +permissions: + contents: read jobs: tests-min-sqlalchemy: name: "Min SQLAlchemy test" diff --git a/.github/workflows/task-sdk-tests.yml b/.github/workflows/task-sdk-tests.yml index 501e880fd3be0..b8ecf0eb798c6 100644 --- a/.github/workflows/task-sdk-tests.yml +++ b/.github/workflows/task-sdk-tests.yml @@ -44,7 +44,8 @@ on: # yamllint disable-line rule:truthy description: "Whether this is a canary run (true/false)" required: true type: string - +permissions: + contents: read jobs: task-sdk-tests: timeout-minutes: 80 diff --git a/.github/workflows/test-provider-packages.yml b/.github/workflows/test-provider-packages.yml index 877ff1f1b23c9..b0912fa6dfe37 100644 --- a/.github/workflows/test-provider-packages.yml +++ b/.github/workflows/test-provider-packages.yml @@ -62,6 +62,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: prepare-install-verify-provider-packages: timeout-minutes: 80