Add read-only token permissions to GitHub Action workflows (vitessio#…

…12718)

* Workflow templates set read-only permissions

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* Regenerate workflows with read-only permissions

Almost all workflows recreated with `make generate_ci_workflows`.

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

* restrict permissions in more places

Signed-off-by: Florent Poinsard <florent.poinsard@outlook.fr>

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
Signed-off-by: Florent Poinsard <florent.poinsard@outlook.fr>
Co-authored-by: Florent Poinsard <florent.poinsard@outlook.fr>

.github/workflows/check_label.yml

@@ -7,6 +7,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Check Pull Request labels')
   cancel-in-progress: true
 
+permissions: read-all
+
 jobs:
   check_pull_request_labels:
     name: Check Pull Request labels

.github/workflows/check_make_vtadmin_authz_testgen.yml

@@ -1,7 +1,9 @@
 name: check_make_vtadmin_authz_testgen
 on: [push, pull_request]
-jobs:
 
+permissions: read-all
+
+jobs:
   build:
     name: Check Make vtadmin_authz_testgen
     runs-on: ubuntu-22.04

.github/workflows/check_make_vtadmin_web_proto.yml

@@ -1,7 +1,9 @@
 name: check_make_vtadmin_web_proto
 on: [push, pull_request]
-jobs:
 
+permissions: read-all
+
+jobs:
   build:
     name: Check Make VTAdmin Web Proto
     runs-on: ubuntu-22.04

.github/workflows/close_stale_pull_requests.yml

@@ -5,12 +5,14 @@ on:
 
   workflow_dispatch: {}
 
-permissions:
-  pull-requests: write
+permissions: read-all
 
 jobs:
   close_stale_pull_requests:
     runs-on: ubuntu-22.04
+    permissions:
+      pull-requests: write
+
     steps:
       - uses: actions/stale@v5
         with:

.github/workflows/cluster_endtoend_12.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (12)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_13.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (13)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_15.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (15)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_18.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (18)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_21.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (21)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_22.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (22)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_backup_pitr.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (backup_pitr)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_backup_pitr_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (backup_pitr) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_ers_prs_newfeatures_heavy.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (ers_prs_newfeatures_heavy)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_mysql80.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (mysql80)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_mysql_server_vault.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (mysql_server_vault)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_ghost.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_ghost)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_ghost_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_ghost) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_revert.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_revert)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_revert_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_revert) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_scheduler.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_scheduler)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_scheduler_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_scheduler) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl_stress.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl_stress)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl_stress_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl_stress) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl_stress_suite.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl_stress_suite)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl_stress_suite_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl_stress_suite) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl_suite.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl_suite)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_onlineddl_vrepl_suite_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (onlineddl_vrepl_suite) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_schemadiff_vrepl.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (schemadiff_vrepl)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_schemadiff_vrepl_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (schemadiff_vrepl) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_tabletmanager_consul.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (tabletmanager_consul)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_tabletmanager_tablegc.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (tabletmanager_tablegc)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_tabletmanager_tablegc_mysql57.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (tabletmanager_tablegc) mysql57')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_tabletmanager_throttler.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (tabletmanager_throttler)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_tabletmanager_throttler_custom_config.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (tabletmanager_throttler_custom_config)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_tabletmanager_throttler_topo.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (tabletmanager_throttler_topo)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_topo_connection_cache.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (topo_connection_cache)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_vreplication_across_db_versions.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (vreplication_across_db_versions)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_vreplication_basic.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (vreplication_basic)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_vreplication_cellalias.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (vreplication_cellalias)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_vreplication_migrate_vdiff2_convert_tz.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (vreplication_migrate_vdiff2_convert_tz)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"

.github/workflows/cluster_endtoend_vreplication_multicell.yml

@@ -6,6 +6,8 @@ concurrency:
   group: format('{0}-{1}', ${{ github.ref }}, 'Cluster (vreplication_multicell)')
   cancel-in-progress: true
 
+permissions: read-all
+
 env:
   LAUNCHABLE_ORGANIZATION: "vitess"
   LAUNCHABLE_WORKSPACE: "vitess-app"