refactor: add permissions blocks to GitHub workflows for least privilege security (#4933)

Copilot · Copilot · mfranzke · web-flow · commit 6ab8dbcda3e6 · 2025-10-02T10:00:58.000+02:00
* Initial plan

* feat: add permissions blocks to GitHub workflows for least privilege security

* Update default.yml

* Add pull-requests permission to workflow

---------

Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: Copilot &lt;copilot@example.com&gt;
Co-authored-by: Maximilian Franzke &lt;maximilian.franzke@deutschebahn.com&gt;
Co-authored-by: Maximilian Franzke &lt;787658+mfranzke@users.noreply.github.com&gt;
diff --git a/.github/workflows/00-init.yml b/.github/workflows/00-init.yml
@@ -1,5 +1,8 @@
 name: Init Workflow
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/00-scan-secrets.yml b/.github/workflows/00-scan-secrets.yml
@@ -1,5 +1,8 @@
 name: Leaked Secrets Scan
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/01-build-outputs.yml b/.github/workflows/01-build-outputs.yml
@@ -1,6 +1,9 @@
 ---
 name: Build outputs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/01-build-packages.yml b/.github/workflows/01-build-packages.yml
@@ -1,6 +1,9 @@
 ---
 name: Build Packages
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/01-build-patternhub.yml b/.github/workflows/01-build-patternhub.yml
@@ -1,6 +1,9 @@
 ---
 name: Build Patternhub
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/01-build-showcases.yml b/.github/workflows/01-build-showcases.yml
@@ -1,6 +1,9 @@
 ---
 name: Build Showcases
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/01-get-playwright-version.yml b/.github/workflows/01-get-playwright-version.yml
@@ -1,6 +1,9 @@
 ---
 name: 🎭 Get playwright version
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:
diff --git a/.github/workflows/01-get-publish-version.yml b/.github/workflows/01-get-publish-version.yml
@@ -1,6 +1,9 @@
 ---
 name: Get and save publish version
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     # Map the workflow outputs to job outputs
diff --git a/.github/workflows/01-init-playwright.yml b/.github/workflows/01-init-playwright.yml
@@ -1,5 +1,8 @@
 name: 🎭 Init Playwright
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
diff --git a/.github/workflows/01-lint.yml b/.github/workflows/01-lint.yml
@@ -1,5 +1,8 @@
 name: Lint
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/01-test.yml b/.github/workflows/01-test.yml
@@ -1,5 +1,8 @@
 name: Test
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/03-deploy-gh-pages.yml b/.github/workflows/03-deploy-gh-pages.yml
@@ -1,6 +1,9 @@
 ---
 name: Deploy to gh-pages
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -17,6 +20,8 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-24.04 # Use Ubuntu 24.04 explicitly
+    permissions:
+      contents: write
     steps:
       - name: ⏬ Checkout repo
         uses: actions/checkout@v5
diff --git a/.github/workflows/99-add-url-comment.yml b/.github/workflows/99-add-url-comment.yml
@@ -1,6 +1,10 @@
 ---
 name: 💬 Add url for gh-page as issue comment to PR
 
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   workflow_call:
 jobs:
diff --git a/.github/workflows/99-auto-merge.yml b/.github/workflows/99-auto-merge.yml
@@ -1,5 +1,9 @@
 ---
 name: Dependabot auto-merge
+
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/99-dependency-review.yml b/.github/workflows/99-dependency-review.yml
@@ -1,5 +1,9 @@
 ---
 name: "Dependency Review"
+
+permissions:
+  contents: read
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/99-labeler.yml b/.github/workflows/99-labeler.yml
@@ -1,5 +1,10 @@
 ---
 name: "Pull Request Labeler"
+
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   workflow_call:
 
diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml
@@ -1,6 +1,9 @@
 ---
 name: Cleans all preview pages for gh-pages
 
+permissions:
+  contents: write
+
 on:
   schedule:
     - cron: "0 0 * * *"
diff --git a/.github/workflows/default.yml b/.github/workflows/default.yml
@@ -1,6 +1,11 @@
 ---
 name: Default Pipeline
 
+permissions:
+  contents: write
+  actions: write
+  pull-requests: write
+
 on:
   pull_request:
   push:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,6 +1,9 @@
 ---
 name: Test and publish to package registries after new GitHub release
 
+permissions:
+  contents: read
+
 on:
   release:
     types: [published]
