workflows: Tighten up workflow permissions

Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>

.github/workflows/ci.yaml

@@ -40,9 +40,7 @@ on:
       KBUILD_SIGN_PIN:
         required: true
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   build-kata-static-tarball-amd64:
@@ -292,6 +290,10 @@ jobs:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: publish-kata-deploy-payload-amd64
     uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
+
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
     with:
       tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
@@ -351,6 +353,9 @@ jobs:
      - build-and-publish-tee-confidential-unencrypted-image
      - publish-csi-driver-amd64
     uses: ./.github/workflows/run-kata-coco-tests.yaml
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
     with:
       tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io

.github/workflows/cleanup-resources.yaml

@@ -4,13 +4,14 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   cleanup-resources:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
     environment: ci
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

.github/workflows/osv-scanner.yaml

@@ -15,6 +15,8 @@ on:
   push:
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   scan-scheduled:
     permissions:

.github/workflows/run-k8s-tests-on-aks.yaml

@@ -34,9 +34,7 @@ on:
         required: true
 
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   run-k8s-tests:
@@ -71,6 +69,9 @@ jobs:
             instance-type: normal
             auto-generate-policy: yes
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
     environment: ci
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-kata-coco-stability-tests.yaml

@@ -35,9 +35,7 @@ on:
       AUTHENTICATED_IMAGE_PASSWORD:
         required: true
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   # Generate jobs for testing CoCo on non-TEE environments
@@ -52,6 +50,9 @@ jobs:
         pull-type:
           - guest-pull
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write
     environment: ci
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-kata-coco-tests.yaml

@@ -36,9 +36,7 @@ on:
       ITA_KEY:
         required: true
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   run-k8s-tests-on-tdx:
@@ -223,6 +221,9 @@ jobs:
         pull-type:
           - guest-pull
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
     environment: ci
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}

.github/workflows/run-kata-deploy-tests-on-aks.yaml

@@ -29,9 +29,7 @@ on:
       AZ_SUBSCRIPTION_ID:
         required: true
 
-permissions:
-  contents: read
-  id-token: write
+permissions: {}
 
 jobs:
   run-kata-deploy-tests:
@@ -50,6 +48,9 @@ jobs:
             vmm: clh
     runs-on: ubuntu-22.04
     environment: ci
+    permissions:
+      contents: read
+      id-token: write # Used for OIDC access to log into Azure
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
       DOCKER_REPO: ${{ inputs.repo }}