chore(ci): workflow permission alerts (#738)

bcgov · Jan 6, 2025 · 9b260d8 · 9b260d8
1 parent f4e7773
commit 9b260d8
Show file tree

Hide file tree

Showing 7 changed files with 18 additions and 7 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -13,6 +13,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   tests:
     name: Unit Tests
@@ -38,6 +40,8 @@ jobs:
     name: Trivy Security Scan
     if: ${{ ! github.event.pull_request.draft }}
     needs: [tests]
+    permissions:
+      security-events: write
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/merge-demo.yml b/.github/workflows/merge-demo.yml
@@ -11,6 +11,8 @@ concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   builds:
     name: Builds

diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
@@ -8,13 +8,12 @@ on:
       - "**.md"
   workflow_dispatch:
 
-env:
-  NAME: fom
-
 concurrency:
   group: ${{ github.workflow }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   vars:
     name: Set Variables
@@ -133,6 +132,8 @@ jobs:
   prod-promotions:
     name: Promote images to PROD
     needs: [deploy-prod, vars]
+    permissions:
+      packages: write
     runs-on: ubuntu-24.04
     strategy:
       matrix:

diff --git a/.github/workflows/pr-close.yml b/.github/workflows/pr-close.yml
@@ -2,13 +2,15 @@ name: Pull Request Closed
 
 on:
   pull_request:
-    types:
-      - closed
+    types: [closed]
 
 concurrency:
   group: ${{ github.event.number }}
   cancel-in-progress: true
 
+permissions:
+  packages: write
+
 jobs:
   cleanup:
     name: Cleanup and Images

diff --git a/.github/workflows/pr-open.yml b/.github/workflows/pr-open.yml
@@ -2,12 +2,13 @@ name: Pull Request Open
 
 on:
   pull_request:
-  workflow_dispatch:
 
 concurrency:
   group: ${{ github.event.number }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   init:
     name: Init

diff --git a/.github/workflows/pr-validate.yml b/.github/workflows/pr-validate.yml
@@ -8,6 +8,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.number }}
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   pr-description-add:
     name: PR Description Add

diff --git a/db/Dockerfile b/db/Dockerfile
@@ -1,4 +1,3 @@
-# RedHat UBI 8 with nodejs 14
 FROM postgis/postgis:13-master
 
 # Enable pgcrypto extension on startup