Add back required permissions to GitHub actions workflows (#1184)

andreasgerstmayr · web-flow · commit 23489b98f63f · 2025-05-07T16:28:19.000+02:00
* Add required permissions to CodeQL workflow See: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container#example-workflow Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com> * also update publish workflows (require access to write to container registry) Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com> * move permissions to release job Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com> * remove contents: read permission (not required for public repos) Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com> * fix ubuntu version in publish-test-utils-image workflow Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com> --------- Signed-off-by: Andreas Gerstmayr <agerstmayr@redhat.com>
diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
@@ -45,6 +45,9 @@ jobs:
   security:
     name: Security
     runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      security-events: write # write CodeQL alerts
     steps:
       - name: Checkout
         uses: actions/checkout@v4
diff --git a/.github/workflows/publish-images.yaml b/.github/workflows/publish-images.yaml
@@ -1,6 +1,7 @@
 name: "Publish operator"
 
-permissions: {}
+permissions:
+  packages: write # push container image
 
 on:
   push:
diff --git a/.github/workflows/publish-test-utils-image.yaml b/.github/workflows/publish-test-utils-image.yaml
@@ -17,11 +17,12 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
-permissions: {}
+permissions:
+  packages: write # push container image
 
 jobs:
   test-utils:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     steps:
       - name: Checkout
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -50,6 +50,8 @@ jobs:
   publish-images:
     needs: release
     uses: ./.github/workflows/reusable-publish-images.yaml
+    permissions:
+      packages: write # push container image
     with:
       publish_bundle: true
       version_tag: v${{ needs.release.outputs.operator_version }}
