canonical · louiseschmidtgen · May 21, 2024 · Apr 29, 2024 · Apr 29, 2024 · Apr 29, 2024
@@ -6,9 +6,18 @@ on:
       - main
       - 'release-[0-9]+.[0-9]+'
 
+permissions:
+  contents: read
+
 jobs:
   cla-check:
+    permissions:
+      pull-requests: write  # for canonical/has-signed-canonical-cla to create & update comments
     runs-on: ubuntu-latest
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check if CLA signed
         uses: canonical/has-signed-canonical-cla@v1
@@ -4,8 +4,14 @@ on:
   schedule:
     - cron: '0 10 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   TICS:
+    permissions:
+      contents: read
+      security-events: write 
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -14,6 +20,10 @@ jobs:
           - { branch: main }
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
         with:
@@ -67,6 +77,9 @@ jobs:
           path: tics-logs.tar.gz
 
   Trivy:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -77,6 +90,10 @@ jobs:
           # Add branches to test here
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
         with:

@@ -9,12 +9,22 @@ on:
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read  
+
 jobs:
   test:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: write  # for marocchino/sticky-pull-request-comment to create or update PR comment
     name: Unit Tests & Code Quality
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
 
@@ -86,6 +96,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
 

@@ -9,12 +9,19 @@ on:
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-20.04
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Install lxd
@@ -71,10 +78,17 @@ jobs:
           cd tests/integration && sg lxd -c 'tox -e integration'
 
   security-scan:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     name: Security scan
     runs-on: ubuntu-20.04
     needs: build
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Fetch snap

@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: '0 0 * * *'  # Runs every midnight
 
+permissions:
+  contents: read
+
 jobs:
   test-integration:
     name: Integration Test ${{ matrix.os }} ${{ matrix.arch }} ${{ matrix.releases }}

@@ -9,12 +9,19 @@ on:
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Check out code
         uses: actions/checkout@v4
       - name: Setup Python

@@ -9,12 +9,19 @@ on:
       - 'autoupdate/release-[0-9]+.[0-9]+-strict'
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: Checking out repo
         uses: actions/checkout@v4
       - name: Setup Python

@@ -31,6 +31,10 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@v2
+        with:
+          egress-policy: audit
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:

@@ -6,6 +6,9 @@ on:
       - main
       - 'release-[0-9]+.[0-9]+'
 
+permissions:
+  contents: read
+
 jobs:
   prepare:
     name: Prepare
@@ -28,6 +31,8 @@ jobs:
             echo "strict=" >> $GITHUB_OUTPUT
           fi
   update:
+    permissions:
+      contents: write  # for Git to git push
     runs-on: ubuntu-20.04
     needs: [ prepare ]
     if: ${{ needs.prepare.outputs.strict }}