chore: Set explicit worflow permissions

davidkna-sap · davidkna-sap · commit 836594aa78df · 2026-05-26T13:21:37.000+02:00
diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml
@@ -14,8 +14,12 @@ on:
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   generate-and-push-docs:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
diff --git a/.github/workflows/auto-dependabot-fix.yml b/.github/workflows/auto-dependabot-fix.yml
@@ -3,8 +3,12 @@ name: auto-dependabot-fix
 on:
   pull_request_target: ~
 
+permissions: {}
+
 jobs:
   building:
+    permissions:
+      contents: read
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/auto-lint.yml b/.github/workflows/auto-lint.yml
@@ -3,8 +3,12 @@ name: auto-lint-fix
 on:
   pull_request: ~
 
+permissions: {}
+
 jobs:
   linting:
+    permissions:
+      contents: read
     if: github.actor != 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml
@@ -5,9 +5,13 @@ on:
   schedule:
     - cron: 0 23 * * *
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -21,11 +21,15 @@ on:
         required: false
         default: false
 
+permissions: {}
+
 jobs:
   tests:
     if: inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -58,6 +62,8 @@ jobs:
   checks:
     if: inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
@@ -99,6 +105,8 @@ jobs:
   e2e-tests:
     if: inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
@@ -133,6 +141,8 @@ jobs:
   canary-release-pre-check:
     if: inputs.is-workflow-call && inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       skip-release: ${{ steps.date-check.outputs.skip-release }}
     needs: [tests, checks, e2e-tests]
@@ -167,6 +177,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [canary-release-pre-check]
     permissions:
+      contents: read
       id-token: write
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
@@ -189,6 +200,8 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     needs: [tests, checks]
+    permissions:
+      contents: write
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml
@@ -7,9 +7,13 @@ on:
         description: Mandatory, when bumping a major version. Semver compatible version string (X.Y.Z). Must not be set for patch and minor version releases.
         required: false
 
+permissions: {}
+
 jobs:
   bump:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.bump.outputs.version }}
     steps:
@@ -56,6 +60,8 @@ jobs:
   generate-api-docs:
     name: Generate and Push API Documentation
     needs: [bump]
+    permissions:
+      contents: read
     uses: ./.github/workflows/api-docs.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml
@@ -7,9 +7,13 @@ on:
       - edited
       - synchronize
 
+permissions: {}
+
 jobs:
   check-pr:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,10 +14,15 @@ on:
   pull_request: ~
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     strategy:
       fail-fast: false
diff --git a/.github/workflows/downloads.yml b/.github/workflows/downloads.yml
@@ -5,9 +5,13 @@ on:
   schedule:
     - cron: '0 0 * * 1'
 
+permissions: {}
+
 jobs:
   downloads:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
diff --git a/.github/workflows/fosstars-report.yml b/.github/workflows/fosstars-report.yml
@@ -4,6 +4,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions: {}
+
 jobs:
   create_fosstars_report:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/memory-tests.yml b/.github/workflows/memory-tests.yml
@@ -5,9 +5,13 @@ on:
   schedule:
     - cron: 0 21 * * *
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
diff --git a/.github/workflows/release-entry.yml b/.github/workflows/release-entry.yml
@@ -19,14 +19,23 @@ on:
         options:
           - 'With Tests and Checks'
           - 'Skip Tests and Checks (Force Release)'
+
+permissions: {}
+
 jobs:
   delegate_to_release_job:
     if: ${{ github.event_name == 'release' }}
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/release.yml
     secrets: inherit
 
   delegate_to_canary_job:
     if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/build.yml
     secrets: inherit
     with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,8 @@ name: release
 on:
   workflow_call:
 
+permissions: {}
+
 jobs:
   stable-release:
     runs-on: ubuntu-latest
@@ -17,6 +19,8 @@ jobs:
           private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
           owner: SAP
           repositories: cloud-sdk
+          permission-contents: write
+          permission-pull-requests: write
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
           ref: 'main'
diff --git a/.github/workflows/tests-windows.yml b/.github/workflows/tests-windows.yml
@@ -7,10 +7,14 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: windows-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
diff --git a/.github/workflows/typedoc.yml b/.github/workflows/typedoc.yml
@@ -8,9 +8,13 @@ on:
     paths-ignore:
       - 'docs/**'
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -8,9 +8,6 @@ rules:
     ignore:
      - bump.yml
      - release-entry.yml
-  # requires more effort to fix
-  excessive-permissions:
-    disable: true
   dangerous-triggers:
     ignore:
       - auto-dependabot-fix.yml
