From d8fb1e8e4e3d942ce29742bf3806982220a0c472 Mon Sep 17 00:00:00 2001 From: Ashley Harrison Date: Fri, 2 May 2025 12:13:05 +0100 Subject: [PATCH] Chore: Harden action permissions (#104820) * harden action permissions * Update .github/workflows/ephemeral-instances-pr-comment.yml Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> * update documentation-ci --------- Co-authored-by: Kevin Minehart <5140827+kminehart@users.noreply.github.com> --- .github/workflows/analytics-events-report.yml | 4 ++++ .github/workflows/codeowners-validator.yml | 8 ++++++-- .github/workflows/deploy-pr-preview.yml | 5 +++++ .github/workflows/documentation-ci.yml | 7 +++++++ .../workflows/ephemeral-instances-pr-comment.yml | 7 +++++++ .github/workflows/feature-toggles-ci.yml | 6 ++++++ .github/workflows/lint-build-docs.yml | 16 +++++++++++----- .github/workflows/pr-commands.yml | 4 ++++ .github/workflows/pr-e2e-tests.yml | 8 ++++++++ .github/workflows/pr-test-integration.yml | 8 ++++++++ .github/workflows/storybook-verification.yml | 12 ++++++++---- 11 files changed, 74 insertions(+), 11 deletions(-) diff --git a/.github/workflows/analytics-events-report.yml b/.github/workflows/analytics-events-report.yml index 42f601b793b..af265157337 100644 --- a/.github/workflows/analytics-events-report.yml +++ b/.github/workflows/analytics-events-report.yml @@ -3,9 +3,13 @@ name: Analytics Events Report on: workflow_dispatch: +permissions: {} + jobs: generate-report: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/codeowners-validator.yml b/.github/workflows/codeowners-validator.yml index 41afde3a822..da01ffcd3c4 100644 --- a/.github/workflows/codeowners-validator.yml +++ b/.github/workflows/codeowners-validator.yml @@ -4,9 +4,13 @@ on: pull_request: branches: [ main ] +permissions: {} + jobs: codeowners-validator: runs-on: ubuntu-latest + permissions: + contents: read steps: # Checks-out your repository, which is validated in the next step - uses: actions/checkout@v4 @@ -23,7 +27,7 @@ jobs: # "The comma-separated list of experimental checks that should be executed. By default, all experimental checks are turned off. Possible values: notowned,avoid-shadowing" experimental_checks: "notowned,avoid-shadowing" - + # The repository path in which CODEOWNERS file should be validated." repository_path: "." @@ -37,4 +41,4 @@ jobs: owner_checker_allow_unowned_patterns: "false" # Specifies whether only teams are allowed as owners of files. - owner_checker_owners_must_be_teams: "false" + owner_checker_owners_must_be_teams: "false" diff --git a/.github/workflows/deploy-pr-preview.yml b/.github/workflows/deploy-pr-preview.yml index 5c8f4733eeb..dcfdfda6093 100644 --- a/.github/workflows/deploy-pr-preview.yml +++ b/.github/workflows/deploy-pr-preview.yml @@ -9,8 +9,13 @@ on: paths: - "docs/sources/**" +permissions: {} + jobs: deploy-pr-preview: + permissions: + contents: read + pull-requests: write if: "!github.event.pull_request.head.repo.fork" uses: grafana/writers-toolkit/.github/workflows/deploy-preview.yml@main # zizmor: ignore[unpinned-uses] with: diff --git a/.github/workflows/documentation-ci.yml b/.github/workflows/documentation-ci.yml index 30c2516412f..7a49fe493e4 100644 --- a/.github/workflows/documentation-ci.yml +++ b/.github/workflows/documentation-ci.yml @@ -4,9 +4,16 @@ on: branches: ["main"] paths: ["docs/sources/**"] workflow_dispatch: + +permissions: {} + jobs: vale: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + security-events: write container: image: grafana/vale:latest steps: diff --git a/.github/workflows/ephemeral-instances-pr-comment.yml b/.github/workflows/ephemeral-instances-pr-comment.yml index ed6b98bbce2..e128fa0d8fa 100644 --- a/.github/workflows/ephemeral-instances-pr-comment.yml +++ b/.github/workflows/ephemeral-instances-pr-comment.yml @@ -4,6 +4,9 @@ on: types: [created] pull_request: types: [closed] + +permissions: {} + jobs: config: runs-on: "ubuntu-latest" @@ -26,6 +29,10 @@ jobs: fi handle-pull-request-event: + permissions: + id-token: write + contents: read + pull-requests: write needs: config if: needs.config.outputs.has-secrets && ${{ github.event.issue.pull_request && (startsWith(github.event.comment.body, '/deploy-to-hg') || github.event.action == 'closed') }} diff --git a/.github/workflows/feature-toggles-ci.yml b/.github/workflows/feature-toggles-ci.yml index a6c9f5c52dc..ab1aa9b2dca 100644 --- a/.github/workflows/feature-toggles-ci.yml +++ b/.github/workflows/feature-toggles-ci.yml @@ -7,9 +7,15 @@ on: - 'pkg/services/featuremgmt/registry.go' - 'docs/sources/setup-grafana/configure-grafana/feature-toggles/index.md' +permissions: {} + jobs: test: runs-on: ubuntu-latest + + permissions: + contents: read + steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/lint-build-docs.yml b/.github/workflows/lint-build-docs.yml index c9da22210b6..667a8215565 100644 --- a/.github/workflows/lint-build-docs.yml +++ b/.github/workflows/lint-build-docs.yml @@ -16,10 +16,16 @@ on: - 'packages/**/*.md' - 'latest.json' +permissions: {} + jobs: docs: name: Build & Verify Docs runs-on: ubuntu-latest + + permissions: + contents: read + steps: - name: Checkout code uses: actions/checkout@v4 @@ -45,18 +51,18 @@ jobs: run: | # Create and start a container from the docs-base image in detached mode docker run -d --name docs-builder grafana/docs-base:latest tail -f /dev/null - + # Create the directory structure inside the container docker exec docs-builder mkdir -p /hugo/content/docs/grafana/latest - + # Create the _index.md file docker exec docs-builder /bin/sh -c "echo -e '---\nredirectURL: /docs/grafana/latest/\ntype: redirect\nversioned: true\n---\n' > /hugo/content/docs/grafana/_index.md" - + # Copy the docs sources from the host to the container docker cp docs/sources/. docs-builder:/hugo/content/docs/grafana/latest/ - + # Run the make prod command inside the container docker exec -w /hugo docs-builder make prod || echo "Build completed with warnings" - + # Clean up the container docker rm -f docs-builder diff --git a/.github/workflows/pr-commands.yml b/.github/workflows/pr-commands.yml index 518c25dfeaa..8fc9ff0931e 100644 --- a/.github/workflows/pr-commands.yml +++ b/.github/workflows/pr-commands.yml @@ -5,6 +5,7 @@ on: - labeled - opened - synchronize +permissions: {} concurrency: group: pr-commands-${{ github.event.number }} jobs: @@ -26,6 +27,9 @@ jobs: main: needs: config + permissions: + contents: read + pull-requests: write if: needs.config.outputs.has-secrets runs-on: ubuntu-latest steps: diff --git a/.github/workflows/pr-e2e-tests.yml b/.github/workflows/pr-e2e-tests.yml index 969d0a3158e..37d0ff2a3a3 100644 --- a/.github/workflows/pr-e2e-tests.yml +++ b/.github/workflows/pr-e2e-tests.yml @@ -11,10 +11,14 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }} +permissions: {} + jobs: build-grafana: name: Build & Package Grafana runs-on: ubuntu-latest-16-cores + permissions: + contents: read outputs: artifact: ${{ steps.artifact.outputs.artifact }} steps: @@ -42,6 +46,8 @@ jobs: name: ${{ steps.artifact.outputs.artifact }} path: grafana.tar.gz e2e-matrix: + permissions: + contents: read name: ${{ matrix.suite }} strategy: fail-fast: false @@ -58,6 +64,8 @@ jobs: package: ${{ needs.build-grafana.outputs.artifact }} suite: ${{ matrix.suite }} e2e-matrix-old-arch: + permissions: + contents: read name: ${{ matrix.suite }} (old arch) strategy: fail-fast: false diff --git a/.github/workflows/pr-test-integration.yml b/.github/workflows/pr-test-integration.yml index 0f5c2f34a6e..725eea0b92a 100644 --- a/.github/workflows/pr-test-integration.yml +++ b/.github/workflows/pr-test-integration.yml @@ -11,10 +11,14 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ startsWith(github.ref, 'refs/pull/') }} +permissions: {} + jobs: sqlite: name: Sqlite runs-on: ubuntu-latest-8-cores + permissions: + contents: read steps: - name: Checkout code uses: actions/checkout@v4 @@ -31,6 +35,8 @@ jobs: mysql: name: MySQL runs-on: ubuntu-latest-8-cores + permissions: + contents: read env: GRAFANA_TEST_DB: mysql MYSQL_HOST: 127.0.0.1 @@ -63,6 +69,8 @@ jobs: postgres: name: Postgres runs-on: ubuntu-latest-8-cores + permissions: + contents: read services: postgres: image: postgres:12.3-alpine diff --git a/.github/workflows/storybook-verification.yml b/.github/workflows/storybook-verification.yml index c50b7533d0d..fa5b6dfd3ea 100644 --- a/.github/workflows/storybook-verification.yml +++ b/.github/workflows/storybook-verification.yml @@ -14,26 +14,30 @@ on: - '!docs/**' - '!*.md' +permissions: {} + jobs: verify-storybook: name: Verify Storybook runs-on: ubuntu-latest - + permissions: + contents: read + steps: - name: Checkout code uses: actions/checkout@v4 with: persist-credentials: false - + - name: Setup Node.js uses: actions/setup-node@v4 with: node-version-file: 'package.json' cache: 'yarn' - + - name: Install dependencies run: yarn install --immutable - + - name: Run Storybook and E2E tests uses: cypress-io/github-action@108b8684ae52e735ff7891524cbffbcd4be5b19f with: