ci: explicitly define permissions for each job and as the first prope…

…rty in each job

.github/workflows/ci.yml

@@ -10,16 +10,14 @@ on:
     # * At 05:00 UTC every Monday, run the latest commit on the default or base branch
     - cron:  '0 5 * * MON'
 
-# Restrict jobs in this workflow to only be allowed to read this repo by default.
-#
-# If you are wanting to introduce a job/tool that requires more permissions (such
-# as posting comments or commits to the repository), then you should grant just
-# that job the necessarily permissions by giving it a dedicated `permissions` block.
-permissions:
-  contents: read # to fetch code (actions/checkout)
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
 
 jobs:
   audit_dependencies:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -28,6 +26,8 @@ jobs:
       - name: Audit dependencies for security vulnerabilities
         uses: g-rath/check-with-osv-detector@main
   test:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -41,6 +41,8 @@ jobs:
       - run: yarn run format-check
 
   rubocop:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -56,6 +58,8 @@ jobs:
         run: bundle exec rubocop
 
   test_generated_apps:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       # don't stop all variants if one of them fails (we usually want to know

.github/workflows/codeql-analysis.yml

@@ -14,15 +14,20 @@ on:
   schedule:
     - cron: '0 0 * * 0'
 
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
+
 jobs:
   analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
 
+    name: Analyze
+    runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false
       matrix:
@@ -42,11 +47,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -55,7 +60,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

variants/github_actions_ci/workflows/ci.yml.tt

@@ -19,16 +19,14 @@ env:
   SIDEKIQ_WEB_PASSWORD: password
   <%- end -%>
 
-# Restrict jobs in this workflow to only be allowed to read this repo by default.
-#
-# If you are wanting to introduce a job/tool that requires more permissions (such
-# as posting comments or commits to the repository), then you should grant just
-# that job the necessarily permissions by giving it a dedicated `permissions` block.
-permissions:
-  contents: read # to fetch code (actions/checkout)
+# Restrict jobs in this workflow to have no permissions by default; permissions
+# should be granted per job as needed using a dedicated `permissions` block
+permissions: {}
 
 jobs:
   audit_dependencies:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -37,6 +35,8 @@ jobs:
       - name: Audit dependencies for security vulnerabilities
         uses: g-rath/check-with-osv-detector@main
   js_based_checks:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 15
     steps:
@@ -54,6 +54,8 @@ jobs:
       - run: yarn run js-lint
       - run: yarn run format-check
   ruby_based_checks:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     timeout-minutes: 20
     services:
@@ -127,15 +129,15 @@ jobs:
   # ######################################################################### #
 
   # deploy_to_ec2_staging:
+  #   permissions:
+  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_ec2.yml
-  #   permissions:
-  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
-  #     contents: read # to fetch code (actions/checkout)
   #   with:
   #     environment: staging
   #     assume_role_arn: TODO # e.g. "arn:aws:iam::<ACCOUNT_ID>:role/<CLIENT_NAME>StagingGHARole"
@@ -144,15 +146,15 @@ jobs:
   #     ssh_private_key: ${{ secrets.STAGING_SSH_PRIVATE_KEY }}
   #     slack_webhook: ${{ secrets.SLACK_WEBHOOK }}
   # deploy_to_ec2_production:
+  #   permissions:
+  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/production'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_ec2.yml
-  #   permissions:
-  #     id-token: write # to use OIDC (aws-actions/configure-aws-credentials)
-  #     contents: read # to fetch code (actions/checkout)
   #   with:
   #     environment: production
   #     assume_role_arn: TODO # e.g. "arn:aws:iam::<ACCOUNT_ID>:role/<CLIENT_NAME>ProductionGHARole"
@@ -166,28 +168,28 @@ jobs:
   # ######################################################################### #
 
   # deploy_to_heroku_staging:
+  #   permissions:
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/main'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_heroku.yml
-  #   permissions:
-  #     contents: read # to fetch code (actions/checkout)
   #   secrets:
   #     heroku_api_key: ${{ secrets.HEROKU_API_KEY }}
   #     heroku_email: ${{ secrets.HEROKU_EMAIL }}
   #     heroku_app_name: ${{ secrets.HEROKU_APP_NAME_STAGING }}
   #     slack_webhook: ${{ secrets.SLACK_WEBHOOK }}
   # deploy_to_heroku_production:
+  #   permissions:
+  #     contents: read # to fetch code (actions/checkout)
   #   if: github.event_name == 'push' && github.ref == 'refs/heads/production'
   #   needs:
   #     - audit_dependencies
   #     - ruby_based_checks
   #     - js_based_checks
   #   uses: ./.github/workflows/deploy_to_heroku.yml
-  #   permissions:
-  #     contents: read # to fetch code (actions/checkout)
   #   secrets:
   #     heroku_api_key: ${{ secrets.HEROKU_API_KEY }}
   #     heroku_email: ${{ secrets.HEROKU_EMAIL }}