From fdce937d9b422795742254c1b73a94ade3926af7 Mon Sep 17 00:00:00 2001 From: PrashantR30 Date: Tue, 2 Jun 2026 18:12:02 +0400 Subject: [PATCH] harden git workflows Signed-off-by: PrashantR30 --- .github/workflows/code-scanning.yaml | 3 +++ .github/workflows/config-checks.yaml | 9 +++++++++ .github/workflows/coverage.yaml | 2 ++ .github/workflows/e2e-tests.yaml | 4 ++++ .github/workflows/forward-compatibility.yaml | 2 ++ .github/workflows/golang-checks.yaml | 6 ++++++ .github/workflows/image-builds.yaml | 7 ++++++- .github/workflows/publish-helm-oci-chart.yaml | 2 ++ .github/workflows/release-image-list.yaml | 3 +++ .github/workflows/release.yaml | 4 ++++ .github/workflows/stale.yaml | 4 +++- 11 files changed, 44 insertions(+), 2 deletions(-) diff --git a/.github/workflows/code-scanning.yaml b/.github/workflows/code-scanning.yaml index 4f8aa50d46..7e33e8acdf 100644 --- a/.github/workflows/code-scanning.yaml +++ b/.github/workflows/code-scanning.yaml @@ -23,11 +23,14 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 360 permissions: + contents: read security-events: write packages: read steps: - name: Checkout repository uses: actions/checkout@v6 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/config-checks.yaml b/.github/workflows/config-checks.yaml index 3cf598d08d..6260c8f55d 100644 --- a/.github/workflows/config-checks.yaml +++ b/.github/workflows/config-checks.yaml @@ -18,6 +18,9 @@ on: workflow_call: workflow_dispatch: +permissions: + contents: read + jobs: helm-lint: runs-on: ubuntu-latest @@ -25,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install Helm uses: azure/setup-helm@v5.0.0 id: install @@ -36,6 +41,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Get Golang version id: vars run: | @@ -53,6 +60,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Get Golang version id: vars run: | diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 5fd88ba0cd..373806cb62 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Get Golang version id: vars run: | diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml index a5eaf8eb8d..9dc77c9c0f 100644 --- a/.github/workflows/e2e-tests.yaml +++ b/.github/workflows/e2e-tests.yaml @@ -82,6 +82,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Download values override file if: ${{ inputs.use_values_override }} uses: actions/download-artifact@v8 @@ -148,6 +150,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Download values override file if: ${{ inputs.use_values_override }} uses: actions/download-artifact@v8 diff --git a/.github/workflows/forward-compatibility.yaml b/.github/workflows/forward-compatibility.yaml index 0bdbd10c45..6e99a45923 100644 --- a/.github/workflows/forward-compatibility.yaml +++ b/.github/workflows/forward-compatibility.yaml @@ -33,6 +33,8 @@ jobs: contents: read steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install regctl uses: regclient/actions/regctl-installer@148669fe4b19151fcab6e00c6df2db43b9e2b097 diff --git a/.github/workflows/golang-checks.yaml b/.github/workflows/golang-checks.yaml index bf19d27370..6a4fe19830 100644 --- a/.github/workflows/golang-checks.yaml +++ b/.github/workflows/golang-checks.yaml @@ -28,6 +28,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Checkout code + with: + persist-credentials: false - name: Get Golang version id: vars run: | @@ -63,6 +65,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 + with: + persist-credentials: false - name: Get Golang version id: vars run: | @@ -89,4 +93,6 @@ jobs: steps: - uses: actions/checkout@v6 name: Checkout code + with: + persist-credentials: false - run: make docker-build diff --git a/.github/workflows/image-builds.yaml b/.github/workflows/image-builds.yaml index 1a0a290480..031484620d 100644 --- a/.github/workflows/image-builds.yaml +++ b/.github/workflows/image-builds.yaml @@ -86,6 +86,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: @@ -118,6 +120,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: @@ -146,6 +150,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: @@ -163,4 +169,3 @@ jobs: ${OPERATOR_IMAGE_AMD} \ ${OPERATOR_IMAGE_ARM} docker manifest push ${OPERATOR_MULTIARCH_IMAGE} - diff --git a/.github/workflows/publish-helm-oci-chart.yaml b/.github/workflows/publish-helm-oci-chart.yaml index 022fbb37a1..b8d89c74ce 100644 --- a/.github/workflows/publish-helm-oci-chart.yaml +++ b/.github/workflows/publish-helm-oci-chart.yaml @@ -39,6 +39,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Set up Helm uses: azure/setup-helm@v5.0.0 diff --git a/.github/workflows/release-image-list.yaml b/.github/workflows/release-image-list.yaml index aa56ec55cf..7aec11b839 100644 --- a/.github/workflows/release-image-list.yaml +++ b/.github/workflows/release-image-list.yaml @@ -34,6 +34,7 @@ jobs: name: Check out code with: ref: ${{ github.event.release.tag_name }} + persist-credentials: false - name: Set up Python uses: actions/setup-python@v6 with: @@ -66,6 +67,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Download image list artifact uses: actions/download-artifact@v8 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5bc8be180c..b5aeb6fa92 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -68,6 +68,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Install regctl uses: regclient/actions/regctl-installer@148669fe4b19151fcab6e00c6df2db43b9e2b097 with: @@ -91,6 +93,8 @@ jobs: steps: - uses: actions/checkout@v6 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 219bdd586e..051374eeb2 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -5,12 +5,14 @@ on: schedule: - cron: "21 4 * * *" +permissions: {} + jobs: stale: permissions: - actions: write issues: write runs-on: ubuntu-latest + timeout-minutes: 10 steps: - uses: actions/stale@v10