chire: fix workflow permission (#680)

Co-authored-by: Christian Lechner <22294087+lechnerc77@users.noreply.github.com>

Author: lechnerc77

.github/workflows/build-and-publish-api-mssql-go.yml

@@ -7,6 +7,10 @@ env:
   IMAGE_NAME: api-mssql-go
   LABEL: 1.0.0
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build_and_push:
     runs-on: ubuntu-latest
@@ -29,7 +33,7 @@ jobs:
       - name: Build and push Docker image
         uses: docker/build-push-action@v3.1.0
         with:
-          context: "{{defaultContext}}:dsagtt22/ordermicroservice/api-mssql-go" 
+          context: "{{defaultContext}}:dsagtt22/ordermicroservice/api-mssql-go"
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}            
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-and-publish-custom-component-dapr.yml

@@ -10,6 +10,10 @@ env:
   IMAGE_NAME: daprwishlistapp
   LABEL: 1.0.0
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build_and_push:
     runs-on: ubuntu-latest
@@ -23,13 +27,13 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 16
-      - name: 'Install dependencies and Build'
+      - name: "Install dependencies and Build"
         shell: bash
         run: |
           pushd './custom-component-dapr'
           npm ci
           npm run build
-          popd  
+          popd
       - name: Log in to the Container registry (GH Packages)
         uses: docker/login-action@v2
         with:
@@ -49,4 +53,4 @@ jobs:
           context: ./${{ env.SUBDIRECTORY }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}            
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-and-publish-database-mssql.yml

@@ -7,6 +7,10 @@ env:
   IMAGE_NAME: mssql
   LABEL: 1.0.0
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build_and_push:
     runs-on: ubuntu-latest
@@ -32,4 +36,4 @@ jobs:
           context: "{{defaultContext}}:dsagtt22/ordermicroservice/database-mssql"
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}            
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-and-publish-frontend-ui5-mssql.yml

@@ -7,6 +7,10 @@ env:
   IMAGE_NAME: frontend-ui5-mssql
   LABEL: 1.0.0
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build_and_push:
     runs-on: ubuntu-latest
@@ -29,7 +33,7 @@ jobs:
       - name: Build and push Docker image
         uses: docker/build-push-action@v3.1.0
         with:
-          context: "{{defaultContext}}:dsagtt22/ordermicroservice/frontend-ui5-mssql" 
+          context: "{{defaultContext}}:dsagtt22/ordermicroservice/frontend-ui5-mssql"
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}            
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-and-publish-onprem-mock.yml

@@ -8,6 +8,10 @@ env:
   IMAGE_NAME: dsagtt22-onprem-mock
   LABEL: 1.0.0
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build_and_push:
     runs-on: ubuntu-latest
@@ -21,13 +25,13 @@ jobs:
         uses: actions/setup-node@v3
         with:
           node-version: 16
-      - name: 'Install dependencies and Build'
+      - name: "Install dependencies and Build"
         shell: bash
         run: |
           pushd './dsagtt22/onprem-mock'
           npm ci
           npm run build
-          popd  
+          popd
       - name: Log in to the Container registry (GH Packages)
         uses: docker/login-action@v2
         with:
@@ -47,4 +51,4 @@ jobs:
           context: ./${{ env.SUBDIRECTORY }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}   
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-and-publish-sapcc.yml

@@ -7,6 +7,10 @@ env:
   IMAGE_NAME: java11-sapcc
   LABEL: 1.0.0
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build_and_push:
     runs-on: ubuntu-latest
@@ -32,4 +36,4 @@ jobs:
           context: "{{defaultContext}}:dsagtt22/CloudConnector"
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}            
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/build-docker-custom-component-dapr.yml

@@ -1,38 +1,40 @@
 name: Build docker for the Custom Component Sample
 on:
   push:
-    branches: [ main ]
+    branches: [main]
     paths:
-    - "custom-component-dapr/**"
+      - "custom-component-dapr/**"
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * 0'
+
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
-     matrix:
-       node-version: [14.x, 16.x]
+      matrix:
+        node-version: [14.x, 16.x]
     steps:
       - uses: actions/checkout@v3
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - name: 'Install dependencies and Build'
+      - name: "Install dependencies and Build"
         shell: bash
         run: |
           pushd './custom-component-dapr'
           npm ci
           npm run build --if-present
           popd
-      - name: 'Check for outdated dependencies'
+      - name: "Check for outdated dependencies"
         shell: bash
         run: |
           pushd './custom-component-dapr'
           npm outdated --ignore-packages dapr-client@2.0.2
           popd
-      - name: 'Build Docker Image'
+      - name: "Build Docker Image"
         shell: bash
         run: |
           pushd './custom-component-dapr'
@@ -42,5 +44,5 @@ jobs:
         uses: rtCamp/action-slack-notify@v2.2.0
         if: ${{ failure() }}
         env:
-          SLACK_MESSAGE: 'Build Failed for ${{ env.SAMPLE_NAME }}'
-          SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }}                    
+          SLACK_MESSAGE: "Build Failed for ${{ env.SAMPLE_NAME }}"
+          SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }}

.github/workflows/build-docker-hana-nodejs.yml

@@ -1,36 +1,40 @@
 name: Build docker for the HANA Node.js Sample
 on:
   push:
-    branches: [ main ]
+    branches: [main]
     paths:
-    - "hana-nodejs/**"
+      - "hana-nodejs/**"
   workflow_dispatch:
+
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
-     matrix:
-       node-version: [16.x, 18.x]
+      matrix:
+        node-version: [16.x, 18.x]
     steps:
       - uses: actions/checkout@v3
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:
           node-version: ${{ matrix.node-version }}
-      - name: 'Install dependencies and Build'
+      - name: "Install dependencies and Build"
         shell: bash
         run: |
           pushd './hana-nodejs/app'
           npm ci
           npm run build --if-present
           popd
-      - name: 'Check for outdated dependencies'
+      - name: "Check for outdated dependencies"
         shell: bash
         run: |
           pushd './hana-nodejs/app'
           npm outdated
           popd
-      - name: 'Build Docker Image'
+      - name: "Build Docker Image"
         shell: bash
         run: |
           pushd './hana-nodejs'
@@ -40,5 +44,5 @@ jobs:
         uses: rtCamp/action-slack-notify@v2.2.0
         if: ${{ failure() }}
         env:
-          SLACK_MESSAGE: 'Build Failed for ${{ env.SAMPLE_NAME }}'
-          SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }}                        
+          SLACK_MESSAGE: "Build Failed for ${{ env.SAMPLE_NAME }}"
+          SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }}

.github/workflows/build-docker-orders-service.yml

@@ -1,10 +1,15 @@
 name: Build docker for the Orders Service Sample
 on:
   push:
-    branches: [ main ]
+    branches: [main]
     paths:
-    - "orders-service/**"
+      - "orders-service/**"
   workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
 env:
   REGISTRY: ghcr.io
   SUBDIRECTORY: orders-service

.github/workflows/build-docker-sample-extension-dotnet-minimalapi.yml

@@ -2,36 +2,37 @@ name: Build docker sample-extension-dotnet-minimalapi
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
     paths:
-    - "sample-extension-dotnet-minimalapi/**"
+      - "sample-extension-dotnet-minimalapi/**"
   workflow_dispatch:
-  schedule:
-    - cron: '0 0 * * 0'
+
+permissions:
+  contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-dotnet@v2
-      with:
-        dotnet-version: '6.0.x'
-    - name: 'Build .NET Project'
-      shell: bash
-      run: |
-        pushd './sample-extension-dotnet-minimalapi/TodoApi'
-        dotnet publish -c Release
-        popd     
-    - name: Build the Docker image
-      shell: bash
-      run: |
-        pushd './sample-extension-dotnet-minimalapi/'
-        make build-image
-        popd
-    - name: Slack Notify
-      uses: rtCamp/action-slack-notify@v2.2.0
-      if: ${{ failure() }}
-      env:
-        SLACK_MESSAGE: 'Build Failed for ${{ env.SAMPLE_NAME }}'
-        SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }}    
+      - uses: actions/checkout@v3
+      - uses: actions/setup-dotnet@v2
+        with:
+          dotnet-version: "6.0.x"
+      - name: "Build .NET Project"
+        shell: bash
+        run: |
+          pushd './sample-extension-dotnet-minimalapi/TodoApi'
+          dotnet publish -c Release
+          popd
+      - name: Build the Docker image
+        shell: bash
+        run: |
+          pushd './sample-extension-dotnet-minimalapi/'
+          make build-image
+          popd
+      - name: Slack Notify
+        uses: rtCamp/action-slack-notify@v2.2.0
+        if: ${{ failure() }}
+        env:
+          SLACK_MESSAGE: "Build Failed for ${{ env.SAMPLE_NAME }}"
+          SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }}