Add permissions to workflows

Joonas Hiltunen · Joonas Hiltunen · commit 193218c4fe9b · 2025-12-05T11:55:16.000+02:00
diff --git a/.github/workflows/check-renovatebot-config.yml b/.github/workflows/check-renovatebot-config.yml
@@ -6,8 +6,11 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   validate:
-    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v1
+    uses: HSLdevcom/jore4-tools/.github/workflows/shared-check-renovatebot-config.yml@shared-check-renovatebot-config-v2
     with:
       config_file_path: renovatebot/jore4-default-preset.json5
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -3,9 +3,12 @@ name: CI
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   run_e2e_tests_workflow:
     name: Test run E2E tests workflow
     uses: ./.github/workflows/shared-run-e2e.yml
     with:
-      test-tags: ''
+      test-tags: ""
diff --git a/.github/workflows/doctoc.yml b/.github/workflows/doctoc.yml
@@ -6,14 +6,17 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   verify-doctoc:
     name: Verifies whether table of contents has been updated
     runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Run doctoc on README
         run: npx doctoc README.md
diff --git a/.github/workflows/shared-build-and-publish-docker-image.yml b/.github/workflows/shared-build-and-publish-docker-image.yml
@@ -24,22 +24,22 @@ on:
         description: Docker build context. This needs to be Git repository context; see https://docs.docker.com/build/concepts/context/#url-fragments
         type: string
         required: false
-        default: null
+        default: ""
       build_args:
         description: Docker build time arguments
         type: string
         required: false
-        default: null
+        default: ""
       target:
         description: Sets the target stage to build
         type: string
         required: false
-        default: null
+        default: ""
       artifact-id:
         description: Artifact ID needed to download for the build.
         type: string
         required: false
-        default: null
+        default: ""
       artifact-path:
         description: Target where to download the artifact.
         type: string
@@ -110,7 +110,7 @@ jobs:
         # Checkout is needed when context is local "."
         # Otherwise the repository code will not be fetched for the build
         if: ${{ inputs.context == '.' }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Download artifacts
         if: ${{ inputs.artifact-id }}
diff --git a/.github/workflows/shared-check-renovatebot-config.yml b/.github/workflows/shared-check-renovatebot-config.yml
@@ -13,6 +13,9 @@ on:
         required: false
         default: "false"
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate renovatebot config
diff --git a/.github/workflows/shared-run-e2e.yml b/.github/workflows/shared-run-e2e.yml
@@ -11,7 +11,7 @@ on:
           Git repository's main branch.
         type: string
         required: false
-        default: null
+        default: ""
       ui_version:
         description:
           Version of ui to use (docker image tag). Set to "" if using the default
@@ -97,7 +97,8 @@ on:
         required: false
         default: ""
       tiamat_version:
-        description: Version of tiamat to use (docker image tag). Set to "" if using
+        description:
+          Version of tiamat to use (docker image tag). Set to "" if using
           the default version.
         type: string
         required: false
@@ -124,11 +125,10 @@ on:
         required: false
         default: "@smoke"
       video:
-        description:
-          Turn video on or off. Supported values are 'true' and 'false'.
+        description: Turn video on or off. Supported values are 'true' and 'false'.
         type: string
         required: false
-        default: 'false'
+        default: "false"
       update_e2e_test_durations:
         description: |
           Should the E2E test durations be updated to jore4-ci-data repository's e2e-test-durations branch
@@ -140,10 +140,12 @@ on:
         default: false
     secrets:
       jore4_ci_data_repo_ssh_key:
-        description:
-          SSH key that can be used to write to HSLdevcom/jore4-ci-data repository.
+        description: SSH key that can be used to write to HSLdevcom/jore4-ci-data repository.
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   run_e2e_tests:
     name: Run e2e tests
@@ -231,7 +233,7 @@ jobs:
           cat ${{ github.workspace }}/durations.out.json
 
       - name: Upload test durations
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: "e2e-test-durations-${{ strategy.job-index }}"
           path: ${{ github.workspace }}/durations.out.json
@@ -247,7 +249,7 @@ jobs:
       - name: Upload test reports as an artifact
         # Should be run especially when tests fail
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: cypress-test-results-${{ strategy.job-index }}
           path: ${{ github.workspace }}/ctrf-report.json
@@ -273,7 +275,7 @@ jobs:
 
       - name: Upload test reports as an artifact
         if: always() && steps.copy_test_reports.outputs.test_reports_exist == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: cypress-docker-reports-${{ strategy.job-index }}
           path: ${{ github.workspace }}/test-reports
@@ -285,7 +287,7 @@ jobs:
       - run_e2e_tests
     steps:
       - name: Download E2E Test Results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         continue-on-error: true
         with:
           pattern: cypress-test-results-*
@@ -294,7 +296,7 @@ jobs:
       - name: Publish Test Report
         uses: ctrf-io/github-test-reporter@27b97adba93f02142c573c8a710045cac0d874ae # v1.0.14
         with:
-          report-path: 'ctrf/*/*.json'
+          report-path: "ctrf/*/*.json"
           summary-report: true
           failed-report: true
           flaky-report: true
@@ -309,15 +311,15 @@ jobs:
       - run_e2e_tests
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          repository: 'HSLdevcom/jore4-ci-data'
+          repository: "HSLdevcom/jore4-ci-data"
           ref: e2e-test-durations
           ssh-key: ${{ secrets.jore4_ci_data_repo_ssh_key }}
 
       - name: Download E2E Test Durations
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v6
         with:
           pattern: e2e-test-durations-*
           path: ${{ github.workspace }}/split-durations
diff --git a/.github/workflows/test-healthcheck-action.yml b/.github/workflows/test-healthcheck-action.yml
@@ -6,14 +6,17 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test-healthcheck-success:
     name: Verifies whether healthcheck action succeeds when it should
     runs-on: ubuntu-24.04
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Startup sample HTTP server
         run: docker run -d -p 8080:80 nginxdemos/hello
diff --git a/.github/workflows/test-setup-e2e-environment-action.yml b/.github/workflows/test-setup-e2e-environment-action.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test-e2e-setup-action:
     runs-on: ubuntu-24.04
@@ -14,48 +17,48 @@ jobs:
       matrix:
         include:
           # no overwrites for images
-          - ui-docker-image:
-            hasura-docker-image:
-            auth-docker-image:
-            mbtiles-docker-image:
-            jore3importer-docker-image:
-            testdb-docker-image:
-            mssqltestdb-docker-image:
-            mapmatching-docker-image:
-            mapmatchingdb-docker-image:
-            cypress-docker-image:
-            hastus-docker-image:
-            custom-docker-compose:
+          - ui-docker-image: ""
+            hasura-docker-image: ""
+            auth-docker-image: ""
+            mbtiles-docker-image: ""
+            jore3importer-docker-image: ""
+            testdb-docker-image: ""
+            mssqltestdb-docker-image: ""
+            mapmatching-docker-image: ""
+            mapmatchingdb-docker-image: ""
+            cypress-docker-image: ""
+            hastus-docker-image: ""
+            custom-docker-compose: ""
           # overwrite some
           - ui-docker-image: "hsldevcom/jore4-ui:latest"
-            hasura-docker-image:
-            auth-docker-image:
-            mbtiles-docker-image:
-            jore3importer-docker-image:
-            testdb-docker-image:
-            mssqltestdb-docker-image:
-            mapmatching-docker-image:
-            mapmatchingdb-docker-image:
-            cypress-docker-image:
-            hastus-docker-image:
-            custom-docker-compose:
+            hasura-docker-image: ""
+            auth-docker-image: ""
+            mbtiles-docker-image: ""
+            jore3importer-docker-image: ""
+            testdb-docker-image: ""
+            mssqltestdb-docker-image: ""
+            mapmatching-docker-image: ""
+            mapmatchingdb-docker-image: ""
+            cypress-docker-image: ""
+            hastus-docker-image: ""
+            custom-docker-compose: ""
           # use custom docker-compose file
-          - ui-docker-image:
-            hasura-docker-image:
-            auth-docker-image:
-            mbtiles-docker-image:
-            jore3importer-docker-image:
-            testdb-docker-image:
-            mssqltestdb-docker-image:
-            mapmatching-docker-image:
-            mapmatchingdb-docker-image:
-            cypress-docker-image:
-            hastus-docker-image:
+          - ui-docker-image: ""
+            hasura-docker-image: ""
+            auth-docker-image: ""
+            mbtiles-docker-image: ""
+            jore3importer-docker-image: ""
+            testdb-docker-image: ""
+            mssqltestdb-docker-image: ""
+            mapmatching-docker-image: ""
+            mapmatchingdb-docker-image: ""
+            cypress-docker-image: ""
+            hastus-docker-image: ""
             custom-docker-compose: "custom-compose.yml" # this overwrites the hasura image to be "jore4-hasura:latest"
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Create a temporary custom docker compose file for testing
         run: |
