Add permissions to GitHub Actions

maartenvandiemen · maartenvandiemen · commit d6b47e36326e · 2025-11-01T21:31:42.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -17,10 +17,15 @@ updates:
         applies-to: version-updates
         patterns:
         - "mstest*"
-      EntityFrameworkCore:
+        - "Microsoft.NET.Test.Sdk"
+        - "coverlet*"
+        - "Testcontainers*"
+      Framework:
         applies-to: version-updates
         patterns:
           - "Microsoft.EntityFrameworkCore*"
+          - "Microsoft.Extensions*"
+          - "Microsoft.AspNetCore*"         
 
   - package-ecosystem: "github-actions"
     directory: "/"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,6 +12,8 @@ defaults:
     shell: pwsh
 jobs:
   build:
+    permissions:
+      contents: read
     services:
       mssql:
         image: mcr.microsoft.com/mssql/server:2022-latest
diff --git a/.github/workflows/create_env.yml b/.github/workflows/create_env.yml
@@ -40,6 +40,8 @@ defaults:
     shell: pwsh
 jobs:
   determine_resourcegroup:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       resourcegroup: ${{ steps.setupResourcegroup.outputs.resourcegroup }}
@@ -53,6 +55,7 @@ jobs:
     permissions: 
       id-token: write
       contents: read
+      deployments: write
     runs-on: ubuntu-latest
     needs: determine_resourcegroup
     outputs:
diff --git a/.github/workflows/delete_env.yml b/.github/workflows/delete_env.yml
@@ -13,6 +13,7 @@ jobs:
     permissions: 
       id-token: write
       contents: read
+      deployments: write
     runs-on: ubuntu-latest
     environment: AzureRemove
     steps:
diff --git a/.github/workflows/deploy_db.yml b/.github/workflows/deploy_db.yml
@@ -24,6 +24,7 @@ jobs:
     permissions: 
       id-token: write
       contents: read
+      deployments: write
     runs-on: ubuntu-latest
     environment: AzureDeploy
     steps:
diff --git a/.github/workflows/main.docker.yml b/.github/workflows/main.docker.yml
@@ -24,6 +24,8 @@ defaults:
     shell: pwsh
 jobs:
   determine_variables:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       buildConfiguration: ${{ steps.setupVars.outputs.buildConfiguration }}
@@ -40,14 +42,19 @@ jobs:
           echo "buildConfiguration=Release" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf8 -Append
         }
   
-  build:  
+  build:
+    permissions:
+      contents: read
     needs: [determine_variables]
     uses: ./.github/workflows/build.yml
     with:
       buildConfiguration: ${{needs.determine_variables.outputs.buildConfiguration}}
     secrets: inherit
 
   validate_env:
+    permissions:
+      contents: read
+      id-token: write
     needs: [build]
     uses: ./.github/workflows/create_env.yml
     with:
@@ -58,6 +65,8 @@ jobs:
     secrets: inherit
 
   dockerfile_artifact:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
@@ -71,16 +80,16 @@ jobs:
 
   push_docker_image:
     if: inputs.buildConfiguration != ''
+    permissions:
+      contents: read
+      packages: write
     runs-on: ubuntu-latest
     outputs:
       dockerTag: ${{ steps.createTag.outputs.dockerTag }}
     env:
       REGISTRY: ghcr.io
       DOCKER_BUILD_SUMMARY: false
       DOCKER_BUILD_RECORD_UPLOAD: false
-    permissions:
-      contents: read
-      packages: write
     needs: [validate_env, dockerfile_artifact, determine_variables]
     steps:
       - uses: actions/download-artifact@v6
@@ -121,6 +130,9 @@ jobs:
           tags: ${{ steps.createTag.outputs.dockerTag }}
 
   create_env:
+    permissions:
+      contents: read
+      id-token: write
     needs: [build, push_docker_image]
     uses: ./.github/workflows/create_env.yml
     with:
@@ -131,6 +143,9 @@ jobs:
     secrets: inherit
 
   deploy_db:
+    permissions:
+      contents: read
+      id-token: write
     needs: [build, create_env]
     uses: ./.github/workflows/deploy_db.yml
     with:
@@ -139,12 +154,17 @@ jobs:
     secrets: inherit
 
   smoketests:
+    permissions:
+      contents: read
     needs: [deploy_db, create_env]
     uses: ./.github/workflows/smoketests.yml
     with:
       webAppUrl: ${{needs.create_env.outputs.webAppUrl}}
 
   delete_env:
+    permissions:
+      contents: read
+      id-token: write
     needs: [create_env, smoketests]
     uses: ./.github/workflows/delete_env.yml
     with:
diff --git a/.github/workflows/main.nodocker.yml b/.github/workflows/main.nodocker.yml
@@ -24,6 +24,8 @@ defaults:
     shell: pwsh
 jobs:
   determine_variables_build:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     outputs:
       buildConfiguration: ${{ steps.setupVars.outputs.buildConfiguration }}
@@ -38,14 +40,19 @@ jobs:
           echo "buildConfiguration=Release" | Out-File -FilePath $Env:GITHUB_OUTPUT -Encoding utf8 -Append
         }
   
-  build:  
+  build:
+    permissions:
+      contents: read
     needs: [determine_variables_build]
     uses: ./.github/workflows/build.yml
     with:
       buildConfiguration: ${{needs.determine_variables_build.outputs.buildConfiguration}}
     secrets: inherit
   
   validate:
+    permissions:
+      contents: read
+      id-token: write
     needs: [build]
     uses: ./.github/workflows/create_env.yml
     with:
@@ -56,6 +63,9 @@ jobs:
     secrets: inherit
 
   create_env:
+    permissions:
+      contents: read
+      id-token: write
     if: inputs.buildConfiguration != ''
     needs: [validate]
     uses: ./.github/workflows/create_env.yml
@@ -73,6 +83,7 @@ jobs:
     permissions: 
       id-token: write
       contents: read
+      deployments: write
     steps:
       - name: Download a Build Artifact
         uses: actions/download-artifact@v6
@@ -94,6 +105,9 @@ jobs:
              az webapp config set --startup-file="dotnet TodoItems.Api.dll" --name ${{ needs.create_env.outputs.webAppName }} --resource-group ${{ needs.create_env.outputs.resourcegroup }}
   
   deploy_db:
+    permissions:
+      contents: read
+      id-token: write
     needs: [build, create_env]
     uses: ./.github/workflows/deploy_db.yml
     with:
@@ -102,12 +116,17 @@ jobs:
     secrets: inherit
     
   smoketests:
+    permissions:
+      contents: read
     needs: [deploy_app, create_env, deploy_db]
     uses: ./.github/workflows/smoketests.yml
     with:
       webAppUrl: ${{needs.create_env.outputs.webAppUrl}}
   
   delete_env:
+    permissions:
+      contents: read
+      id-token: write
     needs: [create_env, smoketests]
     uses: ./.github/workflows/delete_env.yml
     with:
diff --git a/.github/workflows/smoketests.yml b/.github/workflows/smoketests.yml
@@ -10,6 +10,9 @@ defaults:
     shell: pwsh
 jobs:
   smoke_tests:
+    permissions:
+      contents: read
+      deployments: write
     runs-on: ubuntu-latest
     environment: AzureProvision
     steps:
