Merge pull request #11326 from kata-containers/top-level-workflow-permissions

Top level workflow permissions
2025-07-30 23:06:27 +00:00 · 2025-05-29 10:03:06 +01:00 · 2025-05-29 10:03:06 +01:00 · 3da213a8c8
commit 3da213a8c8
parent 353d0822fd c34416f53a
53 changed files with 280 additions and 0 deletions
--- a/.github/workflows/PR-wip-checks.yaml
+++ b/.github/workflows/PR-wip-checks.yaml
@ -9,6 +9,9 @@ on:
      - labeled
      - unlabeled

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/actionlint.yaml
+++ b/.github/workflows/actionlint.yaml
@ -11,6 +11,9 @@ on:
    paths:
      - '.github/workflows/**'

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/basic-ci-amd64.yaml
+++ b/.github/workflows/basic-ci-amd64.yaml
@ -13,6 +13,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-cri-containerd:
    strategy:
--- a/.github/workflows/basic-ci-s390x.yaml
+++ b/.github/workflows/basic-ci-s390x.yaml
@ -13,6 +13,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-cri-containerd:
    strategy:
--- a/.github/workflows/build-checks-preview-riscv64.yaml
+++ b/.github/workflows/build-checks-preview-riscv64.yaml
@ -12,6 +12,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 name: Build checks preview riscv64
 jobs:
  check:
--- a/.github/workflows/build-checks.yaml
+++ b/.github/workflows/build-checks.yaml
@ -5,6 +5,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 name: Build checks
 jobs:
  check:
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@ -21,6 +21,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  build-asset:
    runs-on: ubuntu-22.04
@ -150,6 +153,9 @@ jobs:
  build-asset-rootfs:
    runs-on: ubuntu-22.04
    needs: build-asset
+    permissions:
+      contents: read
+      packages: write
    strategy:
      matrix:
        asset:
@ -247,6 +253,9 @@ jobs:
  build-asset-shim-v2:
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@ -304,6 +313,9 @@ jobs:
  create-kata-tarball:
    runs-on: ubuntu-22.04
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/build-kata-static-tarball-arm64.yaml
+++ b/.github/workflows/build-kata-static-tarball-arm64.yaml
@ -21,6 +21,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  build-asset:
    runs-on: ubuntu-22.04-arm
@ -130,6 +133,9 @@ jobs:
  build-asset-rootfs:
    runs-on: ubuntu-22.04-arm
    needs: build-asset
+    permissions:
+      contents: read
+      packages: write
    strategy:
      matrix:
        asset:
@ -219,6 +225,9 @@ jobs:
  build-asset-shim-v2:
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@ -274,6 +283,9 @@ jobs:
  create-kata-tarball:
    runs-on: ubuntu-22.04-arm
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml
+++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml
@ -21,6 +21,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  build-asset:
    permissions:
@ -83,6 +86,9 @@ jobs:
  build-asset-rootfs:
    runs-on: ppc64le
    needs: build-asset
+    permissions:
+      contents: read
+      packages: write
    strategy:
      matrix:
        asset:
@ -158,6 +164,9 @@ jobs:
  build-asset-shim-v2:
    runs-on: ppc64le
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@ -213,6 +222,9 @@ jobs:
  create-kata-tarball:
    runs-on: ppc64le
    needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - name: Adjust a permission for repo
        run: |
--- a/.github/workflows/build-kata-static-tarball-riscv64.yaml
+++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml
@ -21,6 +21,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  build-asset:
    runs-on: riscv-builder
--- a/.github/workflows/build-kata-static-tarball-s390x.yaml
+++ b/.github/workflows/build-kata-static-tarball-s390x.yaml
@ -21,6 +21,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  build-asset:
    runs-on: s390x
@ -112,6 +115,9 @@ jobs:
  build-asset-rootfs:
    runs-on: s390x
    needs: build-asset
+    permissions:
+      contents: read
+      packages: write
    strategy:
      matrix:
        asset:
@ -175,6 +181,9 @@ jobs:
  build-asset-boot-image-se:
    runs-on: s390x
    needs: [build-asset, build-asset-rootfs]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - uses: actions/checkout@v4

@ -235,6 +244,9 @@ jobs:
  build-asset-shim-v2:
    runs-on: s390x
    needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
+    permissions:
+      contents: read
+      packages: write
    steps:
      - name: Login to Kata Containers quay.io
        if: ${{ inputs.push-to-registry == 'yes' }}
@ -296,6 +308,9 @@ jobs:
      - build-asset-rootfs
      - build-asset-boot-image-se
      - build-asset-shim-v2
+    permissions:
+      contents: read
+      packages: write
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/cargo-deny-runner.yaml
+++ b/.github/workflows/cargo-deny-runner.yaml
@ -11,6 +11,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  cargo-deny-runner:
    runs-on: ubuntu-22.04
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@ -8,6 +8,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  kata-containers-ci-on-push:
    permissions:
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@ -2,6 +2,9 @@ name: Kata Containers CI (manually triggered)
 on:
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  kata-containers-ci-on-push:
    permissions:
--- a/.github/workflows/ci-nightly-s390x.yaml
+++ b/.github/workflows/ci-nightly-s390x.yaml
@ -3,6 +3,10 @@ on:
    - cron: '0 5 * * *'

 name: Nightly CI for s390x
+
+permissions:
+  contents: read
+
 jobs:
  check-internal-test-result:
    runs-on: s390x
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@ -7,6 +7,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read
+
 jobs:
  kata-containers-ci-on-push:
    permissions:
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@ -14,6 +14,9 @@ on:
      - reopened
      - labeled

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@ -16,8 +16,16 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  build-kata-static-tarball-amd64:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -26,6 +34,9 @@ jobs:

  publish-kata-deploy-payload-amd64:
    needs: build-kata-static-tarball-amd64
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -39,6 +50,9 @@ jobs:
    secrets: inherit

  build-and-publish-tee-confidential-unencrypted-image:
+    permissions:
+      contents: read
+      packages: write
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -20,8 +20,16 @@ on:
        type: string
        default: no

+permissions:
+  contents: read
+
 jobs:
  build-kata-static-tarball-amd64:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -30,6 +38,9 @@ jobs:

  publish-kata-deploy-payload-amd64:
    needs: build-kata-static-tarball-amd64
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -43,6 +54,11 @@ jobs:
    secrets: inherit

  build-kata-static-tarball-arm64:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -51,6 +67,9 @@ jobs:

  publish-kata-deploy-payload-arm64:
    needs: build-kata-static-tarball-arm64
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -64,6 +83,11 @@ jobs:
    secrets: inherit

  build-kata-static-tarball-s390x:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -72,6 +96,9 @@ jobs:
    secrets: inherit

  build-kata-static-tarball-ppc64le:
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -79,6 +106,11 @@ jobs:
      target-branch: ${{ inputs.target-branch }}

  build-kata-static-tarball-riscv64:
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
    uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -88,6 +120,9 @@ jobs:

  publish-kata-deploy-payload-s390x:
    needs: build-kata-static-tarball-s390x
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -102,6 +137,9 @@ jobs:

  publish-kata-deploy-payload-ppc64le:
    needs: build-kata-static-tarball-ppc64le
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      tarball-suffix: -${{ inputs.tag }}
@ -115,6 +153,9 @@ jobs:
    secrets: inherit

  build-and-publish-tee-confidential-unencrypted-image:
+    permissions:
+      contents: read
+      packages: write
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@ -4,6 +4,9 @@ on:
    - cron: "0 0 * * *"
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  cleanup-resources:
    runs-on: ubuntu-22.04
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -19,6 +19,9 @@ on:
  schedule:
    - cron: '45 0 * * 1'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze (${{ matrix.language }})
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@ -6,6 +6,9 @@ on:
      - reopened
      - synchronize

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/darwin-tests.yaml
+++ b/.github/workflows/darwin-tests.yaml
@ -6,6 +6,9 @@ on:
      - reopened
      - synchronize

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/docs-url-alive-check.yaml
+++ b/.github/workflows/docs-url-alive-check.yaml
@ -2,6 +2,9 @@ on:
  schedule:
    - cron:  '0 23 * * 0'

+permissions:
+  contents: read
+
 name: Docs URL Alive Check
 jobs:
  test:
--- a/.github/workflows/gatekeeper-skipper.yaml
+++ b/.github/workflows/gatekeeper-skipper.yaml
@ -31,6 +31,8 @@ on:
      skip_static:
        value: ${{ jobs.skipper.outputs.skip_static }}

+permissions:
+  contents: read

 jobs:
  skipper:
--- a/.github/workflows/gatekeeper.yaml
+++ b/.github/workflows/gatekeeper.yaml
@ -12,6 +12,9 @@ on:
      - reopened
      - labeled

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
@ -23,6 +26,7 @@ jobs:
      actions: read
      contents: read
      issues: read
+      pull-requests: read
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/kata-runtime-classes-sync.yaml
+++ b/.github/workflows/kata-runtime-classes-sync.yaml
@ -6,6 +6,9 @@ on:
      - reopened
      - synchronize

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/payload-after-push.yaml
+++ b/.github/workflows/payload-after-push.yaml
@ -5,6 +5,9 @@ on:
      - main
  workflow_dispatch:

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

@ -61,6 +64,9 @@ jobs:

  publish-kata-deploy-payload-amd64:
    needs: build-assets-amd64
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      commit-hash: ${{ github.sha }}
@ -74,6 +80,9 @@ jobs:

  publish-kata-deploy-payload-arm64:
    needs: build-assets-arm64
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      commit-hash: ${{ github.sha }}
@ -87,6 +96,9 @@ jobs:

  publish-kata-deploy-payload-s390x:
    needs: build-assets-s390x
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      commit-hash: ${{ github.sha }}
@ -100,6 +112,9 @@ jobs:

  publish-kata-deploy-payload-ppc64le:
    needs: build-assets-ppc64le
+    permissions:
+      contents: read
+      packages: write
    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
    with:
      commit-hash: ${{ github.sha }}
@ -113,6 +128,9 @@ jobs:

  publish-manifest:
    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
    needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
    steps:
      - name: Checkout repository
--- a/.github/workflows/publish-kata-deploy-payload.yaml
+++ b/.github/workflows/publish-kata-deploy-payload.yaml
@ -31,8 +31,14 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 jobs:
  kata-payload:
+    permissions:
+      contents: read
+      packages: write
    runs-on: ${{ inputs.runner }}
    steps:
      - uses: actions/checkout@v4
--- a/.github/workflows/release-amd64.yaml
+++ b/.github/workflows/release-amd64.yaml
@ -6,6 +6,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 jobs:
  build-kata-static-tarball-amd64:
    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
@ -16,6 +19,9 @@ jobs:

  kata-deploy:
    needs: build-kata-static-tarball-amd64
+    permissions:
+      contents: read
+      packages: write
    runs-on: ubuntu-22.04
    steps:
      - name: Login to Kata Containers docker.io
--- a/.github/workflows/release-arm64.yaml
+++ b/.github/workflows/release-arm64.yaml
@ -6,6 +6,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 jobs:
  build-kata-static-tarball-arm64:
    uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
@ -16,6 +19,9 @@ jobs:

  kata-deploy:
    needs: build-kata-static-tarball-arm64
+    permissions:
+      contents: read
+      packages: write
    runs-on: ubuntu-22.04-arm
    steps:
      - name: Login to Kata Containers docker.io
--- a/.github/workflows/release-ppc64le.yaml
+++ b/.github/workflows/release-ppc64le.yaml
@ -6,6 +6,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 jobs:
  build-kata-static-tarball-ppc64le:
    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
@ -16,6 +19,9 @@ jobs:

  kata-deploy:
    needs: build-kata-static-tarball-ppc64le
+    permissions:
+      contents: read
+      packages: write
    runs-on: ppc64le
    steps:
      - name: Login to Kata Containers docker.io
--- a/.github/workflows/release-s390x.yaml
+++ b/.github/workflows/release-s390x.yaml
@ -6,6 +6,9 @@ on:
        required: true
        type: string

+permissions:
+  contents: read
+
 jobs:
  build-kata-static-tarball-s390x:
    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
@ -16,6 +19,9 @@ jobs:

  kata-deploy:
    needs: build-kata-static-tarball-s390x
+    permissions:
+      contents: read
+      packages: write
    runs-on: s390x
    steps:
      - name: Login to Kata Containers docker.io
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -2,6 +2,9 @@ name: Release Kata Containers
 on:
  workflow_dispatch

+permissions:
+  contents: read
+
 jobs:
  release:
    runs-on: ubuntu-22.04
--- a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml
+++ b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml
@ -1,4 +1,8 @@
 name: CI | Run cri-containerd tests on ppc64le
+
+permissions:
+  contents: read
+
 on:
  workflow_call:
    inputs:
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@ -25,6 +25,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-k8s-tests:
    strategy:
--- a/.github/workflows/run-k8s-tests-on-amd64.yaml
+++ b/.github/workflows/run-k8s-tests-on-amd64.yaml
@ -22,6 +22,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-k8s-tests-amd64:
    strategy:
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@ -22,6 +22,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-k8s-tests-on-arm64:
    strategy:
--- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml
+++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml
@ -22,6 +22,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-k8s-tests:
    strategy:
--- a/.github/workflows/run-k8s-tests-on-zvsi.yaml
+++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml
@ -22,6 +22,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-k8s-tests:
    strategy:
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@ -25,6 +25,9 @@ on:
        required: false
        type: string

+permissions:
+  contents: read
+
 jobs:
  # Generate jobs for testing CoCo on non-TEE environments
  run-stability-k8s-tests-coco-nontee:
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@ -25,6 +25,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-k8s-tests-on-tdx:
    strategy:
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@ -22,6 +22,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-kata-deploy-tests:
    strategy:
--- a/.github/workflows/run-kata-deploy-tests.yaml
+++ b/.github/workflows/run-kata-deploy-tests.yaml
@ -22,6 +22,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-kata-deploy-tests:
    strategy:
--- a/.github/workflows/run-kata-monitor-tests.yaml
+++ b/.github/workflows/run-kata-monitor-tests.yaml
@ -13,6 +13,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-monitor:
    strategy:
--- a/.github/workflows/run-metrics.yaml
+++ b/.github/workflows/run-metrics.yaml
@ -22,6 +22,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-metrics:
    strategy:
--- a/.github/workflows/run-runk-tests.yaml
+++ b/.github/workflows/run-runk-tests.yaml
@ -13,6 +13,9 @@ on:
        type: string
        default: ""

+permissions:
+  contents: read
+
 jobs:
  run-runk:
    # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether
--- a/.github/workflows/shellcheck.yaml
+++ b/.github/workflows/shellcheck.yaml
@ -10,6 +10,9 @@ on:
      - reopened
      - synchronize

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/shellcheck_required.yaml
+++ b/.github/workflows/shellcheck_required.yaml
@ -11,6 +11,9 @@ on:
      - reopened
      - synchronize

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@ -4,6 +4,9 @@ on:
    - cron: '0 0 * * *'
  workflow_dispatch:

+permissions:
+  contents: read
+
 jobs:
  stale:
    runs-on: ubuntu-22.04
--- a/.github/workflows/static-checks-self-hosted.yaml
+++ b/.github/workflows/static-checks-self-hosted.yaml
@ -6,6 +6,9 @@ on:
      - reopened
      - labeled # a workflow runs only when the 'ok-to-test' label is added

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/static-checks.yaml
+++ b/.github/workflows/static-checks.yaml
@ -6,6 +6,9 @@ on:
      - reopened
      - synchronize

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
--- a/src/runtime/pkg/govmm/.github/workflows/main.yml
+++ b/src/runtime/pkg/govmm/.github/workflows/main.yml
@ -1,5 +1,9 @@
 on: ["pull_request"]
 name: Unit tests
+
+permissions:
+  contents: read
+
 jobs:
  test:
    strategy: