From 134ba84f42e8079b3c39f79746d46ed18f5e98d8 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Sun, 18 Feb 2024 02:09:03 +0700 Subject: [PATCH] security: add permissions block to workflows --- .github/workflows/check-auditbeat.yml | 3 +++ .github/workflows/check-dev-tools.yml | 3 +++ .github/workflows/check-filebeat.yml | 3 +++ .github/workflows/check-heartbeat.yml | 3 +++ .github/workflows/check-libbeat.yml | 3 +++ .github/workflows/check-metricbeat.yml | 3 +++ .github/workflows/check-packetbeat.yml | 3 +++ .github/workflows/check-winlogbeat.yml | 3 +++ .github/workflows/check-xpack-auditbeat.yml | 3 +++ .github/workflows/check-xpack-dockerlogbeat.yml | 3 +++ .github/workflows/check-xpack-filebeat.yml | 3 +++ .github/workflows/check-xpack-functionbeat.yml | 3 +++ .github/workflows/check-xpack-heartbeat.yml | 3 +++ .github/workflows/check-xpack-libbeat.yml | 3 +++ .github/workflows/check-xpack-metricbeat.yml | 3 +++ .github/workflows/check-xpack-osquerybeat.yml | 3 +++ .github/workflows/check-xpack-packetbeat.yml | 3 +++ .github/workflows/check-xpack-winlogbeat.yml | 3 +++ .github/workflows/macos-auditbeat.yml | 3 +++ .github/workflows/macos-filebeat.yml | 3 +++ .github/workflows/macos-heartbeat.yml | 3 +++ .github/workflows/macos-metricbeat.yml | 3 +++ .github/workflows/macos-packetbeat.yml | 3 +++ .github/workflows/macos-xpack-auditbeat.yml | 3 +++ .github/workflows/macos-xpack-filebeat.yml | 3 +++ .github/workflows/macos-xpack-functionbeat.yml | 3 +++ .github/workflows/macos-xpack-heartbeat.yml | 3 +++ .github/workflows/macos-xpack-metricbeat.yml | 3 +++ .github/workflows/macos-xpack-osquerybeat.yml | 3 +++ .github/workflows/macos-xpack-packetbeat.yml | 3 +++ .github/workflows/platform-ingest-project-board.yml | 3 +++ .github/workflows/post-dependabot.yml | 3 +++ 32 files changed, 96 insertions(+) diff --git a/.github/workflows/check-auditbeat.yml b/.github/workflows/check-auditbeat.yml index 3941fcdd492..bbc96242687 100644 --- a/.github/workflows/check-auditbeat.yml +++ b/.github/workflows/check-auditbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'auditbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-dev-tools.yml b/.github/workflows/check-dev-tools.yml index 4f0ba423466..6fa58fc319d 100644 --- a/.github/workflows/check-dev-tools.yml +++ b/.github/workflows/check-dev-tools.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'dev-tools' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-filebeat.yml b/.github/workflows/check-filebeat.yml index 0c08232e8af..930a04ec5e5 100644 --- a/.github/workflows/check-filebeat.yml +++ b/.github/workflows/check-filebeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'filebeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-heartbeat.yml b/.github/workflows/check-heartbeat.yml index c975398fc2b..ac7ad5725f5 100644 --- a/.github/workflows/check-heartbeat.yml +++ b/.github/workflows/check-heartbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'heartbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-libbeat.yml b/.github/workflows/check-libbeat.yml index 38b04932a86..27e03701b85 100644 --- a/.github/workflows/check-libbeat.yml +++ b/.github/workflows/check-libbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'libbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-metricbeat.yml b/.github/workflows/check-metricbeat.yml index 452f0dbedc1..709fa3a44bd 100644 --- a/.github/workflows/check-metricbeat.yml +++ b/.github/workflows/check-metricbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'metricbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-packetbeat.yml b/.github/workflows/check-packetbeat.yml index b084e4d962e..ba05b6c0160 100644 --- a/.github/workflows/check-packetbeat.yml +++ b/.github/workflows/check-packetbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'packetbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-winlogbeat.yml b/.github/workflows/check-winlogbeat.yml index e048d585fa8..a79c4bef209 100644 --- a/.github/workflows/check-winlogbeat.yml +++ b/.github/workflows/check-winlogbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'winlogbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-auditbeat.yml b/.github/workflows/check-xpack-auditbeat.yml index d0bf638796b..a4e6ae81563 100644 --- a/.github/workflows/check-xpack-auditbeat.yml +++ b/.github/workflows/check-xpack-auditbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/auditbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-dockerlogbeat.yml b/.github/workflows/check-xpack-dockerlogbeat.yml index 44760e6c5e6..258e5c6c3fa 100644 --- a/.github/workflows/check-xpack-dockerlogbeat.yml +++ b/.github/workflows/check-xpack-dockerlogbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/dockerlogbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-filebeat.yml b/.github/workflows/check-xpack-filebeat.yml index 73b5b21d323..0547fafb7e6 100644 --- a/.github/workflows/check-xpack-filebeat.yml +++ b/.github/workflows/check-xpack-filebeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/filebeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-functionbeat.yml b/.github/workflows/check-xpack-functionbeat.yml index 089828088d6..8ae83acd36f 100644 --- a/.github/workflows/check-xpack-functionbeat.yml +++ b/.github/workflows/check-xpack-functionbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/functionbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-heartbeat.yml b/.github/workflows/check-xpack-heartbeat.yml index c9b77cbebb3..3d6be31ef8b 100644 --- a/.github/workflows/check-xpack-heartbeat.yml +++ b/.github/workflows/check-xpack-heartbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/heartbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-libbeat.yml b/.github/workflows/check-xpack-libbeat.yml index 11359887ef0..28da0b1eb35 100644 --- a/.github/workflows/check-xpack-libbeat.yml +++ b/.github/workflows/check-xpack-libbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/libbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-metricbeat.yml b/.github/workflows/check-xpack-metricbeat.yml index f61967a5eec..8f107794bce 100644 --- a/.github/workflows/check-xpack-metricbeat.yml +++ b/.github/workflows/check-xpack-metricbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/metricbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-osquerybeat.yml b/.github/workflows/check-xpack-osquerybeat.yml index e5c87bcf5bd..73ba20e5a8c 100644 --- a/.github/workflows/check-xpack-osquerybeat.yml +++ b/.github/workflows/check-xpack-osquerybeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/osquerybeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-packetbeat.yml b/.github/workflows/check-xpack-packetbeat.yml index 3840d5598aa..e03d46d55e2 100644 --- a/.github/workflows/check-xpack-packetbeat.yml +++ b/.github/workflows/check-xpack-packetbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/packetbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/check-xpack-winlogbeat.yml b/.github/workflows/check-xpack-winlogbeat.yml index 8656675c3a1..2f3571c7d74 100644 --- a/.github/workflows/check-xpack-winlogbeat.yml +++ b/.github/workflows/check-xpack-winlogbeat.yml @@ -10,6 +10,9 @@ on: env: BEAT_MODULE: 'x-pack/winlogbeat' +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/macos-auditbeat.yml b/.github/workflows/macos-auditbeat.yml index 994ca6dbebc..39c97c8b719 100644 --- a/.github/workflows/macos-auditbeat.yml +++ b/.github/workflows/macos-auditbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'auditbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-filebeat.yml b/.github/workflows/macos-filebeat.yml index 6b43f5bb6c6..513b87be316 100644 --- a/.github/workflows/macos-filebeat.yml +++ b/.github/workflows/macos-filebeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'filebeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-heartbeat.yml b/.github/workflows/macos-heartbeat.yml index c8e346a4402..b707e9c7d42 100644 --- a/.github/workflows/macos-heartbeat.yml +++ b/.github/workflows/macos-heartbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'heartbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-metricbeat.yml b/.github/workflows/macos-metricbeat.yml index 59a225e1601..0f37cfb937b 100644 --- a/.github/workflows/macos-metricbeat.yml +++ b/.github/workflows/macos-metricbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'metricbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-packetbeat.yml b/.github/workflows/macos-packetbeat.yml index be5dc7377e6..bebbc5eed90 100644 --- a/.github/workflows/macos-packetbeat.yml +++ b/.github/workflows/macos-packetbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'packetbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-auditbeat.yml b/.github/workflows/macos-xpack-auditbeat.yml index 3adcb46f6da..e0484908a9e 100644 --- a/.github/workflows/macos-xpack-auditbeat.yml +++ b/.github/workflows/macos-xpack-auditbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/auditbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-filebeat.yml b/.github/workflows/macos-xpack-filebeat.yml index 936c0913fa4..93950c24b57 100644 --- a/.github/workflows/macos-xpack-filebeat.yml +++ b/.github/workflows/macos-xpack-filebeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/filebeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-functionbeat.yml b/.github/workflows/macos-xpack-functionbeat.yml index 26a3e311c92..430d8834bb4 100644 --- a/.github/workflows/macos-xpack-functionbeat.yml +++ b/.github/workflows/macos-xpack-functionbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/functionbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-heartbeat.yml b/.github/workflows/macos-xpack-heartbeat.yml index 8a0c6c1897d..9c4995ce20d 100644 --- a/.github/workflows/macos-xpack-heartbeat.yml +++ b/.github/workflows/macos-xpack-heartbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/heartbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-metricbeat.yml b/.github/workflows/macos-xpack-metricbeat.yml index 38f40b051bc..2d2531cd286 100644 --- a/.github/workflows/macos-xpack-metricbeat.yml +++ b/.github/workflows/macos-xpack-metricbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/metricbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-osquerybeat.yml b/.github/workflows/macos-xpack-osquerybeat.yml index 1b3be3e3148..7678df4b2f2 100644 --- a/.github/workflows/macos-xpack-osquerybeat.yml +++ b/.github/workflows/macos-xpack-osquerybeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/osquerybeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/macos-xpack-packetbeat.yml b/.github/workflows/macos-xpack-packetbeat.yml index 90d9f77e269..8167486eb0c 100644 --- a/.github/workflows/macos-xpack-packetbeat.yml +++ b/.github/workflows/macos-xpack-packetbeat.yml @@ -13,6 +13,9 @@ on: env: BEAT_MODULE: 'x-pack/packetbeat' +permissions: + contents: read + jobs: macos: runs-on: macos-latest diff --git a/.github/workflows/platform-ingest-project-board.yml b/.github/workflows/platform-ingest-project-board.yml index 9dd97b6747c..10a738c750c 100644 --- a/.github/workflows/platform-ingest-project-board.yml +++ b/.github/workflows/platform-ingest-project-board.yml @@ -16,6 +16,9 @@ env: AREA_FIELD_ID: 'PVTSSF_lADOAGc3Zs4AEzn4zgEgZSo' ELASTIC_AGENT_OPTION_ID: 'c1e1a30a' +permissions: + contents: read + jobs: add_to_ingest_project: runs-on: ubuntu-latest diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml index 069f0d777e1..59d84b9bec3 100644 --- a/.github/workflows/post-dependabot.yml +++ b/.github/workflows/post-dependabot.yml @@ -9,6 +9,9 @@ on: branches: - 'dependabot/go_modules/**' +permissions: + contents: read + jobs: update-notice: permissions: