Fix security issues in workflows (opea-project#1977)

ZePan110 · alexsin368 · commit 1f52a93c17b0 · 2025-08-13T12:04:11.000-07:00
Signed-off-by: ZePan110 &lt;ze.pan@intel.com&gt;
Signed-off-by: alexsin368 &lt;alex.sin@intel.com&gt;
diff --git a/.github/workflows/_build_comps_base_image.yml b/.github/workflows/_build_comps_base_image.yml
@@ -2,7 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build Comps Base Image
-permissions: read-all
+
+permissions:
+  attestations: read
+  models: read
+  security-events: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_build_image.yml b/.github/workflows/_build_image.yml
@@ -2,7 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build Images
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_example-workflow.yml b/.github/workflows/_example-workflow.yml
@@ -2,7 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Example jobs
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_get-image-list.yml b/.github/workflows/_get-image-list.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Get Image List
-permissions: read-all
+permissions:
+  contents: read
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_gmc-e2e.yml b/.github/workflows/_gmc-e2e.yml
@@ -3,7 +3,8 @@
 
 # This workflow will only test GMC pipeline and will not install GMC any more
 name: Single GMC E2e Test For CD Workflow Call
-
+permissions:
+  contents: read
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/_gmc-workflow.yml b/.github/workflows/_gmc-workflow.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build and deploy GMC system on call and manual
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Update Docker Hub Description
+permissions:
+  contents: read
 on:
   schedule:
     - cron: "0 0 * * 0"
diff --git a/.github/workflows/manual-docker-clean.yml b/.github/workflows/manual-docker-clean.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up container on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/manual-example-workflow.yml b/.github/workflows/manual-example-workflow.yml
@@ -2,6 +2,24 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Examples CD workflow on manual event
+
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
+
 on:
   workflow_dispatch:
     inputs:
@@ -51,7 +69,6 @@ on:
         required: false
         type: boolean
 
-permissions: read-all
 jobs:
   get-test-matrix:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/manual-freeze-tag.yml b/.github/workflows/manual-freeze-tag.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Freeze OPEA images release tag
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/manual-image-build.yml b/.github/workflows/manual-image-build.yml
@@ -2,6 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build specific images on manual event
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/manual-reset-local-registry.yml b/.github/workflows/manual-reset-local-registry.yml
@@ -2,6 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up Local Registry on manual event
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_dispatch:
     inputs:
diff --git a/.github/workflows/mix-trellix.yml b/.github/workflows/mix-trellix.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Trellix Command Line Scanner
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
   schedule:
diff --git a/.github/workflows/nightly-docker-build-publish.yml b/.github/workflows/nightly-docker-build-publish.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Nightly build/publish latest docker images
+permissions:
+  security-events: read
 
 on:
   schedule:
@@ -33,12 +35,32 @@ jobs:
           echo "PUBLISH_TAGS=$PUBLISH_TAGS" >> $GITHUB_OUTPUT
 
   build-comps-base:
+    permissions:
+      attestations: read
+      models: read
+      security-events: read
     needs: [get-build-matrix]
     uses: ./.github/workflows/_build_comps_base_image.yml
     with:
       node: gaudi
 
   build-images:
+    permissions:
+      actions: read
+      contents: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      id-token: write
+      attestations: read
+      models: read
     needs: [get-build-matrix, build-comps-base]
     strategy:
       matrix:
@@ -53,6 +75,22 @@ jobs:
 
   test-example:
     needs: [get-build-matrix]
+    permissions:
+      actions: read
+      contents: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      id-token: write
+      attestations: read
+      models: read
     if: ${{ needs.get-build-matrix.outputs.examples_json != '' }}
     strategy:
       matrix:
@@ -69,6 +107,8 @@ jobs:
 
   get-image-list:
     needs: [get-build-matrix]
+    permissions:
+      contents: read
     uses: ./.github/workflows/_get-image-list.yml
     with:
       examples: ${{ needs.get-build-matrix.outputs.EXAMPLES }}
diff --git a/.github/workflows/pr-chart-e2e.yml b/.github/workflows/pr-chart-e2e.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: E2E Test with Helm Charts
-
+permissions:
+  contents: read
 on:
   pull_request_target:
     branches: [main]
diff --git a/.github/workflows/pr-check-duplicated-image.yml b/.github/workflows/pr-check-duplicated-image.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Check Duplicated Images
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-code-scan.yml b/.github/workflows/pr-code-scan.yml
@@ -2,7 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Code Scan
-
+permissions:
+  contents: read
+  security-events: write
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-docker-compose-e2e.yml b/.github/workflows/pr-docker-compose-e2e.yml
@@ -3,6 +3,9 @@
 
 name: E2E test with docker compose
 
+permissions:
+  contents: read
+
 on:
   pull_request_target:
     branches: ["main", "*rc"]
diff --git a/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml b/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Compose file and dockerfile path checking
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/pr-link-path-scan.yml b/.github/workflows/pr-link-path-scan.yml
@@ -3,6 +3,9 @@
 
 name: Check hyperlinks and relative path validity
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]
diff --git a/.github/workflows/push-image-build.yml b/.github/workflows/push-image-build.yml
@@ -3,6 +3,23 @@
 # Test
 name: Build latest images on push event
 
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
+
 on:
   push:
     branches: [ 'main' ]
diff --git a/.github/workflows/push-images-path-detection.yml b/.github/workflows/push-images-path-detection.yml
@@ -3,10 +3,12 @@
 
 name: Check the validity of links in docker_images_list.
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
-    types: [opened, reopened, ready_for_review, synchronize]
 
 jobs:
   check-dockerfile-paths:
diff --git a/.github/workflows/push-infra-issue-creation.yml b/.github/workflows/push-infra-issue-creation.yml
@@ -8,6 +8,10 @@ on:
       - "**/docker_compose/**/compose*.yaml"
 
 name: Create an issue to GenAIInfra on push
+
+permissions:
+  contents: read
+
 jobs:
   job1:
     name: Create issue
diff --git a/.github/workflows/weekly-example-test.yml b/.github/workflows/weekly-example-test.yml
