ci: improve scoped permissions

Signed-off-by: Emilien Escalle <emilien.escalle@escemi.com>

Author: neilime

.github/workflows/__main-ci.yml

@@ -23,12 +23,12 @@ jobs:
     permissions:
       actions: read
       contents: read
+      id-token: write
       issues: read
       packages: write
       pull-requests: read
       security-events: write
       statuses: write
-      id-token: write
     secrets: inherit
 
   clean:

.github/workflows/__pull-request-ci.yml

@@ -17,11 +17,11 @@ jobs:
     uses: ./.github/workflows/__shared-ci.yml
     permissions:
       actions: read
-      contents: write
+      contents: read
+      id-token: write
       issues: read
       packages: write
-      pull-requests: write
+      pull-requests: read
       security-events: write
       statuses: write
-      id-token: write
     secrets: inherit

.github/workflows/__shared-ci.yml

@@ -4,69 +4,114 @@ name: Internal - Common Continuous Integration tasks
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
-permissions:
-  actions: read
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  security-events: write
-  statuses: write
-  id-token: write
+permissions: {}
 
 jobs:
   linter:
     uses: hoverkraft-tech/ci-github-common/.github/workflows/linter.yml@4c9d51717dc04d823dac2dc9ac2857e7b3069454 # 0.35.0
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      statuses: write
 
   test-action-docker-build-image:
     needs: linter
     uses: ./.github/workflows/__test-action-docker-build-image.yml
+    permissions:
+      contents: read
+      packages: write
 
   test-action-docker-prune-pull-requests-package-version:
     needs: linter
     # yamllint disable-line rule:line-length
     uses: ./.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
 
   test-action-get-image-metadata:
     needs: linter
     uses: ./.github/workflows/__test-action-get-image-metadata.yml
+    permissions:
+      contents: read
 
   test-action-action-get-image-name:
     needs: linter
     uses: ./.github/workflows/__test-action-get-image-name.yml
+    permissions:
+      contents: read
 
   test-action-helm-parse-chart-uri:
     needs: linter
     uses: ./.github/workflows/__test-action-helm-parse-chart-uri.yml
+    permissions:
+      contents: read
 
   test-action-helm-release-chart:
     needs: linter
     uses: ./.github/workflows/__test-action-helm-release-chart.yml
+    permissions:
+      contents: read
+      packages: write
 
   test-action-helm-test-chart:
     needs: linter
     uses: ./.github/workflows/__test-action-helm-test-chart.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
 
   test-workflow-docker-build-images-building:
     name: Test docker build images - Building
     needs: linter
     uses: ./.github/workflows/__test-workflow-docker-build-images-building.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets: inherit
 
   test-workflow-docker-build-images-caching:
     name: Test docker build images - Caching
     needs: linter
     uses: ./.github/workflows/__test-workflow-docker-build-images-caching.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets: inherit
 
   test-workflow-docker-build-images-multi-registry:
     name: Test docker build images - Multi registry inputs
     needs: linter
     uses: ./.github/workflows/__test-workflow-docker-build-images-multi-registry.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets: inherit
 
   test-workflow-docker-build-images-platforms-and-signing:
     name: Test docker build images - Platforms and Signing
     needs: linter
     uses: ./.github/workflows/__test-workflow-docker-build-images-platforms-and-signing.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets: inherit

.github/workflows/__test-action-docker-prune-pull-requests-image-tags.yml

@@ -5,12 +5,7 @@ run-name: Test for "docker/prune-pull-requests-image-tags" action
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
-permissions:
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  id-token: write
+permissions: {}
 
 env:
   IMAGE_NAME: "test-prune-${{ github.run_number }}"
@@ -73,6 +68,12 @@ jobs:
     name: Arrange - Build images
     needs: arrange-prepare-variables
     uses: ./.github/workflows/docker-build-images.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
     with:

.github/workflows/__test-action-helm-test-chart.yml

@@ -5,16 +5,17 @@ run-name: Test for "helm/test-chart" action
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
-permissions:
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  id-token: write
+permissions: {}
 
 jobs:
   build-test-images:
     uses: ./.github/workflows/docker-build-images.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
     with:
@@ -34,6 +35,8 @@ jobs:
     name: Test for "helm/test-chart" action
     needs: build-test-images
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/__test-workflow-docker-build-images-building.yml

@@ -5,18 +5,19 @@ run-name: Test for "docker-build-images" workflow - Building
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
-permissions:
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  id-token: write
+permissions: {}
 
 # jscpd:ignore-start
 jobs:
   act-build-images-args-secrets:
     name: Arrange - Build with args, secrets
     uses: ./.github/workflows/docker-build-images.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
       build-secrets: |
@@ -82,9 +83,5 @@ jobs:
             for (const image of expectedCreatedImages) {
               assert(builtImages[image], `"built-images" output does not contain "${image}" image`);
             }
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ github.token }}
+
 # jscpd:ignore-end

.github/workflows/__test-workflow-docker-build-images-caching.yml

@@ -5,12 +5,7 @@ run-name: Test for "docker-build-images" workflow - Caching
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
-permissions:
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  id-token: write
+permissions: {}
 
 # jscpd:ignore-start
 jobs:
@@ -65,6 +60,12 @@ jobs:
     name: Act - Build images - registry cache
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
       build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
@@ -95,6 +96,12 @@ jobs:
     name: Act - Build images - gha cache
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
       build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
@@ -128,6 +135,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.arrange.outputs.matrix) }}
+    permissions:
+      packages: read
     steps:
       - name: Login to GitHub Container Registry
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0

.github/workflows/__test-workflow-docker-build-images-multi-registry.yml

@@ -5,17 +5,18 @@ run-name: Test for "docker-build-images" workflow - Multi registry inputs
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
-permissions:
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  id-token: write
+permissions: {}
 
 jobs:
   act-build-images-multi-registry:
     name: Act - Build images with structured registry inputs
     uses: ./.github/workflows/docker-build-images.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       oci-registry-password: |
         {"push":"${{ secrets.GITHUB_TOKEN }}","pull:private":"${{ secrets.GITHUB_TOKEN }}"}
@@ -43,6 +44,8 @@ jobs:
     name: Assert - Build images with structured registry inputs
     needs: act-build-images-multi-registry
     runs-on: ubuntu-latest
+    permissions:
+      packages: read
     steps:
       - name: Login to GitHub Container Registry
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0

.github/workflows/__test-workflow-docker-build-images-platforms-and-signing.yml

@@ -5,12 +5,7 @@ run-name: Test for "docker-build-images" workflow - Platforms and Signing
 on: # yamllint disable-line rule:truthy
   workflow_call:
 
-permissions:
-  contents: read
-  issues: read
-  packages: write
-  pull-requests: read
-  id-token: write
+permissions: {}
 
 # jscpd:ignore-start
 jobs:
@@ -91,6 +86,12 @@ jobs:
       fail-fast: false
       matrix: ${{ fromJson(needs.arrange.outputs.matrix) }}
     uses: ./.github/workflows/docker-build-images.yml
+    permissions:
+      contents: read
+      id-token: write
+      issues: read
+      packages: write
+      pull-requests: read
     secrets:
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
       build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
@@ -116,6 +117,8 @@ jobs:
     strategy:
       fail-fast: false
       matrix: ${{ fromJson(needs.arrange.outputs.matrix) }}
+    permissions:
+      packages: read
     steps:
       - name: Login to GitHub Container Registry
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0