Polish gh-11367

.github/workflows/backport-bot.yml

@@ -8,9 +8,15 @@ on:
   push:
     branches:
       - '*.x'
+permissions:
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v3
       - uses: actions/setup-java@v3

.github/workflows/clean_build_artifacts.yml

@@ -8,9 +8,9 @@ permissions:
 
 jobs:
   main:
+    runs-on: ubuntu-latest
     permissions:
       contents: none
-    runs-on: ubuntu-latest
     steps:
       - name: Delete artifacts in cron job
         env:

.github/workflows/continuous-integration-workflow.yml

@@ -20,6 +20,9 @@ env:
   ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
   RUN_JOBS: ${{ github.repository == 'spring-projects/spring-security' }}
 
+permissions:
+  contents: read
+
 jobs:
   prerequisites:
     name: Pre-requisites for building
@@ -232,11 +235,11 @@ jobs:
           DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
           DOCS_HOST: ${{ secrets.DOCS_HOST }}
   perform_release:
-    permissions:
-      contents: write  # for Git to git push
     name: Perform release
     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     timeout-minutes: 90
     if: ${{ !endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
     env:
@@ -325,6 +328,9 @@ jobs:
     name: Perform post-release
     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     timeout-minutes: 90
     if: ${{ endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
     env:
@@ -343,6 +349,8 @@ jobs:
     needs: [build_jdk_11, snapshot_tests, check_samples, check_tangles, deploy_artifacts, deploy_docs, deploy_schema, perform_release, perform_post_release]
     if: failure()
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Send Slack message
         # Workaround while waiting for Gamesight/slack-workflow-status#38 to be fixed

.github/workflows/milestone-spring-releasetrain.yml

@@ -5,12 +5,14 @@ on:
 env:
   DUE_ON: ${{ github.event.milestone.due_on }}
   TITLE: ${{ github.event.milestone.title }}
+permissions:
+  contents: read
 jobs:
   spring-releasetrain-checks:    
-    permissions:
-      contents: none
     name: Check DueOn is on a Release Date
     runs-on: ubuntu-latest
+    permissions:
+      contents: none
     steps:
     - name: Print Milestone Being Checked
       run: echo "Validating DueOn '$DUE_ON' for milestone '$TITLE'"
@@ -25,6 +27,8 @@ jobs:
     needs: [spring-releasetrain-checks]
     if: failure()
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
     steps:
       - name: Send Slack message
         uses: Gamesight/slack-workflow-status@v1.0.1

.github/workflows/update-scheduled-release-version.yml

@@ -9,11 +9,17 @@ env:
   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
   GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
 
+permissions:
+  contents: read
+
 jobs:
   update_scheduled_release_version:
     name: Initiate Release If Scheduled
     if: ${{ github.repository == 'spring-projects/spring-security' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
     steps:
       - id: checkout-source
         name: Checkout Source Code