Fix for address token-permission vulnerability

KU-2045
canonical · Nov 19, 2024 · e8dcf0f · e8dcf0f
1 parent 19b9957
commit e8dcf0f
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 3 deletions.
diff --git a/.github/workflows/automatic-doc-checks.yml b/.github/workflows/automatic-doc-checks.yml
@@ -3,13 +3,20 @@ name: Core Documentation Checks
 on:
   - workflow_dispatch
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   documentation-checks:
-    uses: canonical/documentation-workflows/.github/workflows/documentation-checks.yaml@main
-    with:
-      working-directory: 'docs/moonray'
+    - name: Harden Runner
+      uses: step-security/harden-runner@v2
+      with:
+        egress-policy: audit
+    - uses: canonical/documentation-workflows/.github/workflows/documentation-checks.yaml@main
+      with:
+        working-directory: 'docs/moonray'
 
diff --git a/.github/workflows/docs-spelling-checks.yml b/.github/workflows/docs-spelling-checks.yml
@@ -5,11 +5,17 @@ on:
   # pull_request:
   #   paths:
   #     - 'docs/**'
+permissions:
+  contents: read
 
 jobs:
   spell-check:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
       - name: Install aspell
         run: sudo apt-get install aspell aspell-en

diff --git a/.github/workflows/integration.yaml b/.github/workflows/integration.yaml
@@ -53,6 +53,10 @@ jobs:
     name: Test Branch Management
     runs-on: ubuntu-20.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
         with:
@@ -77,6 +81,10 @@ jobs:
     needs: build
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
       - name: Setup Python

diff --git a/.github/workflows/markdown.yaml b/.github/workflows/markdown.yaml
@@ -9,6 +9,10 @@ jobs:
   markdown-lint:
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0

diff --git a/.github/workflows/nightly-test.yaml b/.github/workflows/nightly-test.yaml
@@ -20,6 +20,10 @@ jobs:
     runs-on: ${{ matrix.arch == 'arm64' && ["self-hosted", "Linux", "ARM64", "jammy", "large"] || ["self-hosted", "Linux", "AMD64", "jammy", "large"] }}
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Install lxd and tox

diff --git a/.github/workflows/sync-images.yaml b/.github/workflows/sync-images.yaml
@@ -3,10 +3,18 @@ name: Sync upstream images to ghcr.io
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@v4