Merge pull request #999 from weaveworks/998-fix-token-permissions

ci: Move elevated permissions to run level

.github/workflows/blocked-reminder.yaml

@@ -6,6 +6,9 @@ on:
     # others on Fri.
     - cron: '0 15 * * 1,4'
 
+permissions:
+  issues: read # for actions/github-script to query issues
+
 jobs:
   issue-list:
     runs-on: ubuntu-latest

.github/workflows/build-and-publish.yaml

@@ -6,15 +6,17 @@ on:
       - main
 
 permissions:
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - name: Checkout
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

.github/workflows/docs.yaml

@@ -8,6 +8,9 @@ on:
       - '.github/workflows/docs.yaml'
       - 'mkdocs.yml'
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   publish:
     runs-on: ubuntu-latest

.github/workflows/helm-release.yaml

@@ -3,16 +3,18 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
-      - name: Publish Helm chart
+      - name: Publish Helm chart in GitHub Pages
         uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ossf.yaml

@@ -15,10 +15,8 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed if using Code scanning alerts
-      security-events: write
-      # Needed for GitHub OIDC token if publish_results is true
-      id-token: write
+      security-events: write # needed if using Code scanning alerts
+      id-token: write # needed for GitHub OIDC token if publish_results is true
 
     steps:
       - name: "Checkout code"

.github/workflows/release-runners.yaml

@@ -13,9 +13,7 @@ on:
         required: true
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 env:
   VERSION: ${{ github.event.inputs.version }}
@@ -24,6 +22,10 @@ env:
 jobs:
   release-base:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - name: Check out
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
@@ -64,6 +66,10 @@ jobs:
   release-mpl:
     needs: release-base
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     strategy:
       matrix:
         tf_version: [1.0.11, 1.1.9, 1.2.9, 1.3.9, 1.4.6, 1.5.5]

.github/workflows/release.yaml

@@ -11,16 +11,18 @@ on:
         required: true
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read # for actions/checkout to fetch code
 
 env:
   CONTROLLER: ${{ github.event.repository.name }}
 
 jobs:
   build-push:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - name: Check out
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

.github/workflows/scan.yaml

@@ -9,7 +9,6 @@ on:
 
 permissions:
   contents: read # for actions/checkout to fetch code
-  security-events: write # for codeQL to write security events
 
 jobs:
   fossa:
@@ -27,6 +26,8 @@ jobs:
   codeql:
     name: CodeQL
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write # for codeQL to write security events
     steps:
       - name: Checkout repository
         uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0

.github/workflows/targeted-test.yaml

@@ -4,6 +4,10 @@ on:
       pattern:
         required: true
         type: string
+
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   targeted-test:
     runs-on: ubuntu-latest

.github/workflows/test.yaml

@@ -14,6 +14,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read # for actions/checkout to fetch code
+
 jobs:
   test-1x-2x:
     name: "Controller Tests: 10->29"

go.mod

@@ -164,12 +164,12 @@ require (
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.25.0 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/crypto v0.13.0 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/oauth2 v0.9.0 // indirect
 	golang.org/x/sys v0.12.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
+	golang.org/x/term v0.12.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
 	golang.org/x/tools v0.13.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
@@ -192,9 +192,6 @@ replace (
 	// v0.15.1-0.20220809152546-4850a69faedb is actually the v0.16.1a tag of the fork
 	github.com/hashicorp/terraform-exec v0.16.1 => github.com/tf-controller/terraform-exec v0.15.1-0.20220809152546-4850a69faedb
 
-	// Fix CVE-2022-41723
-	golang.org/x/net => golang.org/x/net v0.7.0
-
 	// Fix CVE-2023-32731
 	google.golang.org/grpc => google.golang.org/grpc v1.53.0