Add permissions

Joonas Hiltunen · Joonas Hiltunen · commit 325f38b35d91 · 2025-12-05T11:46:45.000+02:00
diff --git a/.github/workflows/shared-build-and-publish-docker-image.yml b/.github/workflows/shared-build-and-publish-docker-image.yml
@@ -24,22 +24,22 @@ on:
         description: Docker build context. This needs to be Git repository context; see https://docs.docker.com/build/concepts/context/#url-fragments
         type: string
         required: false
-        default: null
+        default: ""
       build_args:
         description: Docker build time arguments
         type: string
         required: false
-        default: null
+        default: ""
       target:
         description: Sets the target stage to build
         type: string
         required: false
-        default: null
+        default: ""
       artifact-id:
         description: Artifact ID needed to download for the build.
         type: string
         required: false
-        default: null
+        default: ""
       artifact-path:
         description: Target where to download the artifact.
         type: string
@@ -110,7 +110,7 @@ jobs:
         # Checkout is needed when context is local "."
         # Otherwise the repository code will not be fetched for the build
         if: ${{ inputs.context == '.' }}
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Download artifacts
         if: ${{ inputs.artifact-id }}
diff --git a/.github/workflows/shared-check-renovatebot-config.yml b/.github/workflows/shared-check-renovatebot-config.yml
@@ -1,8 +1,5 @@
 name: Shared check renovatebot config
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -16,6 +13,9 @@ on:
         required: false
         default: "false"
 
+permissions:
+  contents: read
+
 jobs:
   validate:
     name: Validate renovatebot config
diff --git a/.github/workflows/shared-codeql.yml b/.github/workflows/shared-codeql.yml
@@ -21,19 +21,20 @@ on:
         type: string
         default: ""
 
+permissions:
+  # required for all workflows
+  security-events: write
+  # required to fetch internal or private CodeQL packs
+  packages: read
+  # only required for workflows in private repositories
+  actions: read
+  # repository contents
+  contents: read
+
 jobs:
   analyze:
     name: Analyze code
     runs-on: ubuntu-24.04
-    permissions:
-      # required for all workflows
-      security-events: write
-      # required to fetch internal or private CodeQL packs
-      packages: read
-      # only required for workflows in private repositories
-      actions: read
-      # repository contents
-      contents: read
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/shared-run-e2e.yml b/.github/workflows/shared-run-e2e.yml
@@ -1,9 +1,6 @@
 ---
 name: Run E2E Tests
 
-permissions:
-  contents: read
-
 on:
   workflow_call:
     inputs:
@@ -14,7 +11,7 @@ on:
           Git repository's main branch.
         type: string
         required: false
-        default: null
+        default: ""
       ui_version:
         description:
           Version of ui to use (docker image tag). Set to "" if using the default
@@ -146,6 +143,9 @@ on:
         description: SSH key that can be used to write to HSLdevcom/jore4-ci-data repository.
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   run_e2e_tests:
     name: Run e2e tests
@@ -233,7 +233,7 @@ jobs:
           cat ${{ github.workspace }}/durations.out.json
 
       - name: Upload test durations
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: "e2e-test-durations-${{ strategy.job-index }}"
           path: ${{ github.workspace }}/durations.out.json
@@ -249,7 +249,7 @@ jobs:
       - name: Upload test reports as an artifact
         # Should be run especially when tests fail
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: cypress-test-results-${{ strategy.job-index }}
           path: ${{ github.workspace }}/ctrf-report.json
@@ -275,7 +275,7 @@ jobs:
 
       - name: Upload test reports as an artifact
         if: always() && steps.copy_test_reports.outputs.test_reports_exist == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: cypress-docker-reports-${{ strategy.job-index }}
           path: ${{ github.workspace }}/test-reports
@@ -287,7 +287,7 @@ jobs:
       - run_e2e_tests
     steps:
       - name: Download E2E Test Results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         continue-on-error: true
         with:
           pattern: cypress-test-results-*
@@ -311,15 +311,15 @@ jobs:
       - run_e2e_tests
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
           repository: "HSLdevcom/jore4-ci-data"
           ref: e2e-test-durations
           ssh-key: ${{ secrets.jore4_ci_data_repo_ssh_key }}
 
       - name: Download E2E Test Durations
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v6
         with:
           pattern: e2e-test-durations-*
           path: ${{ github.workspace }}/split-durations
diff --git a/.github/workflows/test-healthcheck-action.yml b/.github/workflows/test-healthcheck-action.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test-healthcheck-success:
     name: Verifies whether healthcheck action succeeds when it should
diff --git a/.github/workflows/test-setup-e2e-environment-action.yml b/.github/workflows/test-setup-e2e-environment-action.yml
@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test-e2e-setup-action:
     runs-on: ubuntu-24.04
@@ -14,48 +17,48 @@ jobs:
       matrix:
         include:
           # no overwrites for images
-          - ui-docker-image:
-            hasura-docker-image:
-            auth-docker-image:
-            mbtiles-docker-image:
-            jore3importer-docker-image:
-            testdb-docker-image:
-            mssqltestdb-docker-image:
-            mapmatching-docker-image:
-            mapmatchingdb-docker-image:
-            cypress-docker-image:
-            hastus-docker-image:
-            custom-docker-compose:
+          - ui-docker-image: ""
+            hasura-docker-image: ""
+            auth-docker-image: ""
+            mbtiles-docker-image: ""
+            jore3importer-docker-image: ""
+            testdb-docker-image: ""
+            mssqltestdb-docker-image: ""
+            mapmatching-docker-image: ""
+            mapmatchingdb-docker-image: ""
+            cypress-docker-image: ""
+            hastus-docker-image: ""
+            custom-docker-compose: ""
           # overwrite some
           - ui-docker-image: "hsldevcom/jore4-ui:latest"
-            hasura-docker-image:
-            auth-docker-image:
-            mbtiles-docker-image:
-            jore3importer-docker-image:
-            testdb-docker-image:
-            mssqltestdb-docker-image:
-            mapmatching-docker-image:
-            mapmatchingdb-docker-image:
-            cypress-docker-image:
-            hastus-docker-image:
-            custom-docker-compose:
+            hasura-docker-image: ""
+            auth-docker-image: ""
+            mbtiles-docker-image: ""
+            jore3importer-docker-image: ""
+            testdb-docker-image: ""
+            mssqltestdb-docker-image: ""
+            mapmatching-docker-image: ""
+            mapmatchingdb-docker-image: ""
+            cypress-docker-image: ""
+            hastus-docker-image: ""
+            custom-docker-compose: ""
           # use custom docker-compose file
-          - ui-docker-image:
-            hasura-docker-image:
-            auth-docker-image:
-            mbtiles-docker-image:
-            jore3importer-docker-image:
-            testdb-docker-image:
-            mssqltestdb-docker-image:
-            mapmatching-docker-image:
-            mapmatchingdb-docker-image:
-            cypress-docker-image:
-            hastus-docker-image:
+          - ui-docker-image: ""
+            hasura-docker-image: ""
+            auth-docker-image: ""
+            mbtiles-docker-image: ""
+            jore3importer-docker-image: ""
+            testdb-docker-image: ""
+            mssqltestdb-docker-image: ""
+            mapmatching-docker-image: ""
+            mapmatchingdb-docker-image: ""
+            cypress-docker-image: ""
+            hastus-docker-image: ""
             custom-docker-compose: "custom-compose.yml" # this overwrites the hasura image to be "jore4-hasura:latest"
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Create a temporary custom docker compose file for testing
         run: |
