Merge pull request #337 from CodebreakerApp/copilot/fix-d07782eb-4d00-4049-9ffe-62edc63f32f3

christiannagel · web-flow · commit 43d41f4dca23 · 2025-10-04T19:45:54.000+02:00
Add explicit permissions to all GitHub workflows following security best practices
diff --git a/.github/workflows/codebreaker-azure.yml b/.github/workflows/codebreaker-azure.yml
@@ -72,6 +72,9 @@ jobs:
   set-staging-environmentvariables:
     runs-on: ubuntu-latest
     needs: [deploy-test]
+    permissions:
+      id-token: write
+      contents: read
     steps:
     - name: Azure Login
       uses: azure/login@v2
diff --git a/.github/workflows/codebreaker-lib-analyzers-stable.yml b/.github/workflows/codebreaker-lib-analyzers-stable.yml
@@ -5,6 +5,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codebreaker-lib-analyzers.yml b/.github/workflows/codebreaker-lib-analyzers.yml
@@ -13,6 +13,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: CodebreakerApp/Codebreaker.Backend/.github/workflows/createnuget-withbuildnumber.yml@main
diff --git a/.github/workflows/codebreaker-lib-backendmodels-stable.yml b/.github/workflows/codebreaker-lib-backendmodels-stable.yml
@@ -5,6 +5,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codebreaker-lib-backendmodels.yml b/.github/workflows/codebreaker-lib-backendmodels.yml
@@ -13,6 +13,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: CodebreakerApp/Codebreaker.Backend/.github/workflows/createnuget-withbuildnumber.yml@main
diff --git a/.github/workflows/codebreaker-lib-client-stable.yml b/.github/workflows/codebreaker-lib-client-stable.yml
@@ -5,6 +5,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codebreaker-lib-client.yml b/.github/workflows/codebreaker-lib-client.yml
@@ -13,6 +13,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: CodebreakerApp/Codebreaker.Backend/.github/workflows/createnuget-withbuildnumber.yml@main
diff --git a/.github/workflows/codebreaker-lib-cosmos-stable.yml b/.github/workflows/codebreaker-lib-cosmos-stable.yml
@@ -5,6 +5,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codebreaker-lib-cosmos.yml b/.github/workflows/codebreaker-lib-cosmos.yml
@@ -13,6 +13,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: CodebreakerApp/Codebreaker.Backend/.github/workflows/createnuget-withbuildnumber.yml@main
diff --git a/.github/workflows/codebreaker-lib-postgresql.yml b/.github/workflows/codebreaker-lib-postgresql.yml
@@ -12,6 +12,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: CodebreakerApp/Codebreaker.Backend/.github/workflows/createnuget-withbuildnumber.yml@main
diff --git a/.github/workflows/codebreaker-lib-sqlserver-stable.yml b/.github/workflows/codebreaker-lib-sqlserver-stable.yml
@@ -5,6 +5,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/codebreaker-lib-sqlserver.yml b/.github/workflows/codebreaker-lib-sqlserver.yml
@@ -12,6 +12,9 @@ on:
   # Allow manually trigger 
   workflow_dispatch:    
 
+permissions:
+  contents: read
+
 jobs:
   build:
     uses: CodebreakerApp/Codebreaker.Backend/.github/workflows/createnuget-withbuildnumber.yml@main
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -4,11 +4,12 @@ name: Copilot Setup Steps
 on:
   workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   copilot-setup-steps:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
diff --git a/.github/workflows/createnuget-withbuildnumber.yml b/.github/workflows/createnuget-withbuildnumber.yml
@@ -40,6 +40,9 @@ on:
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publishnuget-azuredevops.yml b/.github/workflows/publishnuget-azuredevops.yml
@@ -10,6 +10,9 @@ on:
       DEVOPSARTIFACT_PAT:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publishnuget-nugetserver.yml b/.github/workflows/publishnuget-nugetserver.yml
@@ -10,6 +10,9 @@ on:
       NUGETAPIKEY:
         required: true
 
+permissions:
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
