workflows: Tighten up workflow permissions

Since the previous tightening a few workflow updates have gone in and the zizmor job isn't flagging them as issues, so address this to remove potential attack vectors Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-09-16 14:28:35 +00:00 · 2025-07-22 14:32:36 +01:00
parent e396a460bc
commit f79e453313
7 changed files with 27 additions and 18 deletions
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -29,9 +29,7 @@ on:
      AZ_SUBSCRIPTION_ID:
        required: true

-permissions:
-  contents: read
-  id-token: write
+permissions: {}

 jobs:
  run-kata-deploy-tests:
@@ -50,6 +48,8 @@ jobs:
            vmm: clh
    runs-on: ubuntu-22.04
    environment: ci
+    permissions:
+      id-token: write # Used for OIDC access to log into Azure
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}