Merge pull request #4679 from ornladios/copilot/restrict-workflow-token-permissions

Restrict workflow token permissions to minimal required access

Author: vicentebolea

.github/workflows/everything.yml

@@ -36,6 +36,9 @@ on:
       - master
       - release*
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
@@ -113,6 +116,9 @@ jobs:
     if: needs.git_checks.outputs.num_code_changes > 0
 
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      actions: write  # for cache save
     container:
       image: ghcr.io/ornladios/adios2:ci-spack-${{ matrix.os }}-${{ matrix.compiler }}
       options: --shm-size=1g
@@ -211,6 +217,9 @@ jobs:
     if: needs.git_checks.outputs.num_code_changes > 0
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # for cache save
     container:
       image: ghcr.io/ornladios/adios2:ci-el8-${{ matrix.compiler }}
       options: --shm-size=1g
@@ -275,6 +284,9 @@ jobs:
     if: needs.git_checks.outputs.num_code_changes > 0
 
     runs-on: ${{ matrix.image }}
+    permissions:
+      contents: read
+      actions: write  # for cache save
     env:
       # Only way to source a file in a non interactive/non login shell.
       BASH_ENV: "/Users/runner/.bash_profile"
@@ -414,6 +426,9 @@ jobs:
     if: needs.git_checks.outputs.num_code_changes > 0
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # for upload-artifact
     strategy:
       fail-fast: false
       matrix:
@@ -479,6 +494,9 @@ jobs:
     if: needs.git_checks.outputs.num_code_changes > 0
 
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read  # for download-artifact
     strategy:
       fail-fast: false
       matrix:
@@ -543,7 +561,7 @@ jobs:
         GH_YML_MATRIX_COMPILER: gcc8
         GH_YML_MATRIX_PARALLEL: serial
     permissions:
-      actions: read
+      actions: write  # for cache save and upload-artifact
       contents: read
       security-events: write
 

.github/workflows/external.yml

@@ -3,11 +3,16 @@ on:
   push:
   pull_request_target:
 
-permissions: write-all
+permissions:
+  contents: read
+  statuses: write
 
 jobs:
   generate_statuses:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      statuses: write
     steps:
       - uses: actions/checkout@v4
       - uses: Kitware/cdash-status@release

.github/workflows/pypackaging.yml

@@ -32,6 +32,9 @@ jobs:
   make_sdist:
     name: Make SDist
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: write  # for upload-artifact
     steps:
       - uses: actions/checkout@v4
         with:
@@ -51,6 +54,9 @@ jobs:
   build_wheels:
     name: Wheel on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+      actions: write  # for upload-artifact
     strategy:
       fail-fast: false
       matrix:
@@ -79,6 +85,8 @@ jobs:
     needs: [build_wheels, make_sdist]
     environment: pypi
     permissions:
+      contents: read
+      actions: read  # for download-artifact
       id-token: write
     runs-on: ubuntu-latest
     if: |
@@ -100,6 +108,8 @@ jobs:
     needs: [build_wheels, make_sdist]
     environment: testpypi
     permissions:
+      contents: read
+      actions: read  # for download-artifact
       id-token: write
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch' && github.event.inputs.pypiServer == 'testpypi'

.github/workflows/stale.yml

@@ -4,9 +4,18 @@ on:
     - cron: '30 2 * * *'
   workflow_dispatch:
 
+permissions:
+  contents: read
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/stale@v9
         with: