Reduce risk of GITHUB_TOKEN exposure (#485)

* Add permissions to the workflows to mitigate the risk of exposing the GITHUB_TOKEN

* Update CHANGELOG.md

Signed-off-by: Jorge Sánchez <jorge.sanchez@wazuh.com>

* Add restrictions to workflows using upload-artifact action

* Remove 'contents: write' permissions

---------

Signed-off-by: Jorge Sánchez <jorge.sanchez@wazuh.com>
Co-authored-by: Alex Ruiz <alejandro.ruiz.becerra@wazuh.com>

.github/workflows/5_builderpackage_plugins.yml

@@ -50,6 +50,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-24.04
+    permissions:
+      actions: read
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-java@v4

.github/workflows/5_builderpackage_templates.yml

@@ -9,6 +9,9 @@ jobs:
   run-ecs-generator:
     if: github.repository == 'wazuh/wazuh-indexer-plugins'
     runs-on: ubuntu-24.04
+    permissions:
+      actions: read
+      contents: write
     env:
       output_folder: /tmp/ecs-templates
 

.github/workflows/5_codequality_changelog.yml

@@ -8,6 +8,8 @@ jobs:
   verify-changelog:
     if: github.repository == 'wazuh/wazuh-indexer-plugins'
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/5_codequality_links.yml

@@ -5,7 +5,8 @@ on:
 jobs:
   linkchecker:
     runs-on: ubuntu-24.04
-
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - name: lychee Link Checker

CHANGELOG.md

@@ -69,6 +69,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Fix arguments for the Content Manager's `update` command [(#441)](https://github.com/wazuh/wazuh-indexer-plugins/pull/441)
 
 ### Security
--
+- Reduce risk of GITHUB_TOKEN exposure[(#485)](https://github.com/wazuh/wazuh-indexer-plugins/pull/485)
 
 [Unreleased 6.0.x]: https://github.com/wazuh/wazuh-indexer-plugins/compare/6.0.0...6.0.0