From 6ad567f0fab52f2caf9155091c352cdbe5447c8f Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Tue, 26 Jul 2022 15:31:10 -0500
Subject: [PATCH] Polish gh-11367

---
 .github/workflows/backport-bot.yml                   |  6 ++++++
 .github/workflows/clean_build_artifacts.yml          |  2 +-
 .../workflows/continuous-integration-workflow.yml    | 12 ++++++++++--
 .github/workflows/milestone-spring-releasetrain.yml  |  8 ++++++--
 .../workflows/update-scheduled-release-version.yml   |  6 ++++++
 5 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/backport-bot.yml b/.github/workflows/backport-bot.yml
index c964943936..417a638abd 100644
--- a/.github/workflows/backport-bot.yml
+++ b/.github/workflows/backport-bot.yml
@@ -8,9 +8,15 @@ on:
   push:
     branches:
       - '*.x'
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-java@v3
diff --git a/.github/workflows/clean_build_artifacts.yml b/.github/workflows/clean_build_artifacts.yml
index 84ffd72b99..81fd851ba5 100644
--- a/.github/workflows/clean_build_artifacts.yml
+++ b/.github/workflows/clean_build_artifacts.yml
@@ -8,9 +8,9 @@ permissions:
 
 jobs:
   main:
+    runs-on: ubuntu-latest
     permissions:
       contents: none
-    runs-on: ubuntu-latest
     steps:
       - name: Delete artifacts in cron job
         env:
diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml
index 5edde35b65..f4296c7964 100644
--- a/.github/workflows/continuous-integration-workflow.yml
+++ b/.github/workflows/continuous-integration-workflow.yml
@@ -20,6 +20,9 @@ env:
   ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
   RUN_JOBS: ${{ github.repository == 'spring-projects/spring-security' }}
 
+permissions:
+  contents: read
+
 jobs:
   prerequisites:
     name: Pre-requisites for building
@@ -232,11 +235,11 @@ jobs:
           DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
           DOCS_HOST: ${{ secrets.DOCS_HOST }}
   perform_release:
-    permissions:
-      contents: write  # for Git to git push
     name: Perform release
     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     timeout-minutes: 90
     if: ${{ !endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
     env:
@@ -325,6 +328,9 @@ jobs:
     name: Perform post-release
     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     timeout-minutes: 90
     if: ${{ endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
     env:
@@ -343,6 +349,8 @@ jobs:
     needs: [build_jdk_11, snapshot_tests, check_samples, check_tangles, deploy_artifacts, deploy_docs, deploy_schema, perform_release, perform_post_release]
     if: failure()
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Send Slack message
         # Workaround while waiting for Gamesight/slack-workflow-status#38 to be fixed
diff --git a/.github/workflows/milestone-spring-releasetrain.yml b/.github/workflows/milestone-spring-releasetrain.yml
index 5d758ebcb4..67bbb104b2 100644
--- a/.github/workflows/milestone-spring-releasetrain.yml
+++ b/.github/workflows/milestone-spring-releasetrain.yml
@@ -5,12 +5,14 @@ on:
 env:
   DUE_ON: ${{ github.event.milestone.due_on }}
   TITLE: ${{ github.event.milestone.title }}
+permissions:
+  contents: read
 jobs:
   spring-releasetrain-checks:    
-    permissions:
-      contents: none
     name: Check DueOn is on a Release Date
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
     steps:
     - name: Print Milestone Being Checked
       run: echo "Validating DueOn '$DUE_ON' for milestone '$TITLE'"
@@ -25,6 +27,8 @@ jobs:
     needs: [spring-releasetrain-checks]
     if: failure()
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Send Slack message
         uses: Gamesight/slack-workflow-status@v1.0.1
diff --git a/.github/workflows/update-scheduled-release-version.yml b/.github/workflows/update-scheduled-release-version.yml
index d9ae79c77f..34e564ba0c 100644
--- a/.github/workflows/update-scheduled-release-version.yml
+++ b/.github/workflows/update-scheduled-release-version.yml
@@ -9,11 +9,17 @@ env:
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
   GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   update_scheduled_release_version:
     name: Initiate Release If Scheduled
     if: ${{ github.repository == 'spring-projects/spring-security' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     steps:
       - id: checkout-source
         name: Checkout Source Code