fix: pipeline permissions (#4669)

* fix: pipeline permissions

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* feat: comments and cleanup permissions

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

---------

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

.github/workflows/ci.yml

@@ -138,8 +138,9 @@ jobs:
     if: needs.detect-noop.outputs.noop != 'true'
     uses: ./.github/workflows/publish.yml
     permissions:
-      id-token: write
-      contents: read
+      contents: read  #actions/checkout
+      packages: write #for publishing artifacts
+      id-token: write #for keyless sign
     strategy:
       matrix:
         include:

.github/workflows/codeql.yml

@@ -8,9 +8,6 @@ on:
 
 permissions:
   contents: read
-  packages: read
-  actions: read
-  security-events: read
 
 jobs:
   analyze:
@@ -19,6 +16,8 @@ jobs:
     permissions:
       # required for all workflows
       security-events: write
+      packages: read
+      actions: read 
     strategy:
       fail-fast: false
     steps:

.github/workflows/dlc.yml

@@ -11,6 +11,7 @@ permissions:
 
 jobs:
   fossa-scan:
+    if: secrets.FOSSA_API_KEY != ''
     runs-on: ubuntu-latest
     steps:
       - name: "Checkout Code"

.github/workflows/docs.yml

@@ -13,7 +13,7 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write #needed to publish documentation
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:

.github/workflows/e2e-managed.yml

@@ -55,9 +55,9 @@ jobs:
   run-e2e-managed:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
-      checks: write
-      contents: read
+      id-token: write #for oidc auth with aws/gcp/azure
+      checks: write   #publish the commit status
+      contents: read  #for checkout
     if: github.event_name == 'repository_dispatch'
 
     steps:

.github/workflows/e2e.yml

@@ -6,10 +6,6 @@ on:
 
 permissions:
   contents: read
-  issues: read
-  pull-requests: read
-  checks: read
-  statuses: read
 name: e2e tests
 
 env:
@@ -64,9 +60,8 @@ jobs:
   integration-trusted:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
-      checks: write
-      contents: read
+      id-token: write #for oidc auth with aws/gcp/azure
+      contents: read  #for checkout
     if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
     steps:
 
@@ -82,10 +77,9 @@ jobs:
   integration-fork:
     runs-on: ubuntu-latest
     permissions:
-      id-token: write
-      checks: write
-      contents: read
-      pull-requests: write
+      id-token: write      #for oidc auth with aws/gcp/azure
+      contents: read       #for checkout
+      pull-requests: write # to publish the status as comments
     if: github.event_name == 'repository_dispatch'
     steps:
 

.github/workflows/publish.yml

@@ -45,6 +45,9 @@ jobs:
   build-publish:
     name: Build and Publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       image-tag: ${{ steps.container_info.outputs.image-tag }}
     steps:
@@ -138,6 +141,10 @@ jobs:
   sign:
     runs-on: ubuntu-latest
     needs: build-publish
+    permissions:
+      contents: read
+      id-token: write #for keyless sign
+      packages: write #to update packages with added SBOMs.
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/rebuild-image.yml

@@ -35,8 +35,9 @@ jobs:
     uses: ./.github/workflows/publish.yml
     needs: checkout
     permissions:
-      id-token: write
       contents: read
+      id-token: write #for keyless sign
+      packages: write #for updating packages
     strategy:
       matrix:
         include:

.github/workflows/release.yml

@@ -19,7 +19,8 @@ jobs:
   release:
     name: Create Release
     runs-on: ubuntu-latest
-
+    permissions:
+      contents: write # to create a release and push new docs
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -62,8 +63,9 @@ jobs:
         - tag_suffix: "-ubi-boringssl" # ubi image
 
     permissions:
-      id-token: write
-      contents: write
+      contents: write #to update the github release
+      id-token: write #for keyless sign
+      packages: write #to update packages with added SBOMs.
 
     env:
       SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}

.github/workflows/release_esoctl.yml

@@ -22,7 +22,7 @@ jobs:
     name: Create Release for esoctl
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write # for publishing the release
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2