From 242f723e537307f11819e84e6619dce4e89bd0c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= Date: Wed, 9 Jul 2025 10:56:22 +0200 Subject: [PATCH 1/4] fix: Update permissions in workflows to write-all --- .github/workflows/release-drafter.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 2aaba74..9817ea5 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,6 +1,6 @@ name: Release Drafter -permissions: read-all +permissions: write-all on: schedule: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 98036b3..27674c7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,6 @@ name: Release -permissions: read-all +permissions: write-all on: workflow_dispatch: From 7dc37e97f0c079582fe4bf2f44c1e2e58521b5ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= Date: Wed, 9 Jul 2025 10:58:51 +0200 Subject: [PATCH 2/4] fix: Update permissions in workflows to use specific access levels --- .github/workflows/release-drafter.yml | 9 ++++++++- .github/workflows/release.yml | 11 +++++++++-- .github/workflows/sync-labels.yaml | 9 ++++++++- 3 files changed, 25 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 9817ea5..d458ccb 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,6 +1,7 @@ name: Release Drafter -permissions: write-all +permissions: + contents: read on: schedule: @@ -16,6 +17,12 @@ jobs: update_release_draft: name: Update release draft runs-on: ubuntu-latest + permissions: + # write permission is required to create a github release + contents: write + # write permission is required for autolabeler + # otherwise, read permission is required at least + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27674c7..5dbd837 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,7 @@ name: Release -permissions: write-all +permissions: + contents: read on: workflow_dispatch: @@ -11,7 +12,13 @@ env: COMPONENT_DIR: hsem jobs: - release_zip_file: + release_file: + permissions: + # write permission is required to create a github release + contents: write + # write permission is required for autolabeler + # otherwise, read permission is required at least + pull-requests: write name: Prepare release asset runs-on: ubuntu-latest steps: diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 0a6a2b1..637cd9d 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -1,6 +1,7 @@ name: Sync labels -permissions: read-all +permissions: + contents: read # yamllint disable-line rule:truthy on: @@ -15,6 +16,12 @@ jobs: labels: name: ♻️ Sync labels runs-on: ubuntu-latest + permissions: + # write permission is required to create a github release + contents: write + # write permission is required for autolabeler + # otherwise, read permission is required at least + pull-requests: write steps: - name: ⤵️ Check out code from GitHub uses: actions/checkout@v4.2.2 From c043028fc7a1a20b24c7264b647dfac3b2fd5a4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= Date: Wed, 9 Jul 2025 11:00:07 +0200 Subject: [PATCH 3/4] fix: Update permissions in defender-for-devops.yml to use specific access levels --- .github/workflows/defender-for-devops.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml index bd867e9..3f6ea70 100644 --- a/.github/workflows/defender-for-devops.yml +++ b/.github/workflows/defender-for-devops.yml @@ -18,7 +18,8 @@ name: "Microsoft Defender For Devops" -permissions: read-all +permissions: + contents: read on: push: @@ -32,7 +33,12 @@ jobs: MSDO: # currently only windows latest is supported runs-on: windows-latest - + permissions: + # write permission is required to create a github release + contents: write + # write permission is required for autolabeler + # otherwise, read permission is required at least + pull-requests: write steps: - uses: actions/checkout@v4.2.2 - uses: actions/setup-dotnet@v4.3.1 From fe4b62c18a39c35a6105b30244a9163215a50a6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andreas=20Kr=C3=BCger?= Date: Wed, 9 Jul 2025 11:02:40 +0200 Subject: [PATCH 4/4] fix: Update permissions in workflows to use read-all and write-all --- .github/workflows/defender-for-devops.yml | 10 ++-------- .github/workflows/release-drafter.yml | 10 ++-------- .github/workflows/release.yml | 10 ++-------- .github/workflows/sync-labels.yaml | 10 ++-------- 4 files changed, 8 insertions(+), 32 deletions(-) diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml index 3f6ea70..ec2ed65 100644 --- a/.github/workflows/defender-for-devops.yml +++ b/.github/workflows/defender-for-devops.yml @@ -18,8 +18,7 @@ name: "Microsoft Defender For Devops" -permissions: - contents: read +permissions: read-all on: push: @@ -33,12 +32,7 @@ jobs: MSDO: # currently only windows latest is supported runs-on: windows-latest - permissions: - # write permission is required to create a github release - contents: write - # write permission is required for autolabeler - # otherwise, read permission is required at least - pull-requests: write + permissions: write-all steps: - uses: actions/checkout@v4.2.2 - uses: actions/setup-dotnet@v4.3.1 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index d458ccb..fb5c661 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -1,7 +1,6 @@ name: Release Drafter -permissions: - contents: read +permissions: read-all on: schedule: @@ -17,12 +16,7 @@ jobs: update_release_draft: name: Update release draft runs-on: ubuntu-latest - permissions: - # write permission is required to create a github release - contents: write - # write permission is required for autolabeler - # otherwise, read permission is required at least - pull-requests: write + permissions: write-all steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5dbd837..cbe53b3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,7 +1,6 @@ name: Release -permissions: - contents: read +permissions: read-all on: workflow_dispatch: @@ -13,14 +12,9 @@ env: jobs: release_file: - permissions: - # write permission is required to create a github release - contents: write - # write permission is required for autolabeler - # otherwise, read permission is required at least - pull-requests: write name: Prepare release asset runs-on: ubuntu-latest + permissions: write-all steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/sync-labels.yaml b/.github/workflows/sync-labels.yaml index 637cd9d..bdca3bb 100644 --- a/.github/workflows/sync-labels.yaml +++ b/.github/workflows/sync-labels.yaml @@ -1,7 +1,6 @@ name: Sync labels -permissions: - contents: read +permissions: read-all # yamllint disable-line rule:truthy on: @@ -16,12 +15,7 @@ jobs: labels: name: ♻️ Sync labels runs-on: ubuntu-latest - permissions: - # write permission is required to create a github release - contents: write - # write permission is required for autolabeler - # otherwise, read permission is required at least - pull-requests: write + permissions: write-all steps: - name: ⤵️ Check out code from GitHub uses: actions/checkout@v4.2.2