Polish gh-11367

2022-07-26 15:31:10 -05:00 · 2022-07-26 15:31:10 -05:00 · 6ad567f0fa
parent 8c634f8a9d
commit 6ad567f0fa
5 changed files with 29 additions and 5 deletions
--- a/.github/workflows/backport-bot.yml
+++ b/.github/workflows/backport-bot.yml
@ -8,9 +8,15 @@ on:
  push:
    branches:
      - '*.x'
+permissions:
+  contents: read
 jobs:
  build:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
    steps:
      - uses: actions/checkout@v3
      - uses: actions/setup-java@v3
--- a/.github/workflows/clean_build_artifacts.yml
+++ b/.github/workflows/clean_build_artifacts.yml
@ -8,9 +8,9 @@ permissions:

 jobs:
  main:
+    runs-on: ubuntu-latest
    permissions:
      contents: none
-    runs-on: ubuntu-latest
    steps:
      - name: Delete artifacts in cron job
        env:
--- a/.github/workflows/continuous-integration-workflow.yml
+++ b/.github/workflows/continuous-integration-workflow.yml
@ -20,6 +20,9 @@ env:
  ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
  RUN_JOBS: ${{ github.repository == 'spring-projects/spring-security' }}

+permissions:
+  contents: read
+
 jobs:
  prerequisites:
    name: Pre-requisites for building
@ -232,11 +235,11 @@ jobs:
          DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
          DOCS_HOST: ${{ secrets.DOCS_HOST }}
  perform_release:
-    permissions:
-      contents: write  # for Git to git push
    name: Perform release
    needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
    runs-on: ubuntu-latest
+    permissions:
+      contents: write
    timeout-minutes: 90
    if: ${{ !endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
    env:
@ -325,6 +328,9 @@ jobs:
    name: Perform post-release
    needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
    timeout-minutes: 90
    if: ${{ endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
    env:
@ -343,6 +349,8 @@ jobs:
    needs: [build_jdk_11, snapshot_tests, check_samples, check_tangles, deploy_artifacts, deploy_docs, deploy_schema, perform_release, perform_post_release]
    if: failure()
    runs-on: ubuntu-latest
+    permissions:
+      actions: read
    steps:
      - name: Send Slack message
        # Workaround while waiting for Gamesight/slack-workflow-status#38 to be fixed
--- a/.github/workflows/milestone-spring-releasetrain.yml
+++ b/.github/workflows/milestone-spring-releasetrain.yml
@ -5,12 +5,14 @@ on:
 env:
  DUE_ON: ${{ github.event.milestone.due_on }}
  TITLE: ${{ github.event.milestone.title }}
+permissions:
+  contents: read
 jobs:
  spring-releasetrain-checks:    
-    permissions:
-      contents: none
    name: Check DueOn is on a Release Date
    runs-on: ubuntu-latest
+    permissions:
+      contents: none
    steps:
    - name: Print Milestone Being Checked
      run: echo "Validating DueOn '$DUE_ON' for milestone '$TITLE'"
@ -25,6 +27,8 @@ jobs:
    needs: [spring-releasetrain-checks]
    if: failure()
    runs-on: ubuntu-latest
+    permissions:
+      actions: read
    steps:
      - name: Send Slack message
        uses: Gamesight/slack-workflow-status@v1.0.1
--- a/.github/workflows/update-scheduled-release-version.yml
+++ b/.github/workflows/update-scheduled-release-version.yml
@ -9,11 +9,17 @@ env:
  GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
  GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}

+permissions:
+  contents: read
+
 jobs:
  update_scheduled_release_version:
    name: Initiate Release If Scheduled
    if: ${{ github.repository == 'spring-projects/spring-security' }}
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
    steps:
      - id: checkout-source
        name: Checkout Source Code