diff --git a/.github/workflows/5_builderpackage_docker.yml b/.github/workflows/5_builderpackage_docker.yml index 1b879a254b1..8a134fe7116 100644 --- a/.github/workflows/5_builderpackage_docker.yml +++ b/.github/workflows/5_builderpackage_docker.yml @@ -84,6 +84,8 @@ jobs: secrets: inherit build-and-push-docker-image: + permissions: + contents: read needs: [call-build-workflow] runs-on: ubuntu-24.04 env: diff --git a/.github/workflows/5_builderpackage_indexer.yml b/.github/workflows/5_builderpackage_indexer.yml index 0a3395d79eb..8a31b683896 100644 --- a/.github/workflows/5_builderpackage_indexer.yml +++ b/.github/workflows/5_builderpackage_indexer.yml @@ -1,6 +1,9 @@ run-name: Build ${{ inputs.distribution }} Wazuh Indexer on ${{ inputs.architecture }} | ${{ inputs.id }} name: (5.x) Build packages +permissions: + contents: read + # This workflow runs when any of the following occur: # - Run manually # - Invoked from another workflow diff --git a/.github/workflows/5_codequality_changelog.yml b/.github/workflows/5_codequality_changelog.yml index 0aa2cd52295..49386ea9e0b 100644 --- a/.github/workflows/5_codequality_changelog.yml +++ b/.github/workflows/5_codequality_changelog.yml @@ -3,6 +3,8 @@ on: pull_request: types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled] +permissions: + contents: read jobs: # Enforces the update of a changelog file on every pull request verify-changelog: diff --git a/.github/workflows/5_codequality_email.yml b/.github/workflows/5_codequality_email.yml index 0540d7fb2c1..185816e6096 100644 --- a/.github/workflows/5_codequality_email.yml +++ b/.github/workflows/5_codequality_email.yml @@ -1,4 +1,6 @@ name: (5.x) Check email +permissions: + contents: read on: pull_request: types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled] diff --git a/.github/workflows/5_testunit_version.yml b/.github/workflows/5_testunit_version.yml index 7cd0f9cbe5f..28945aad6da 100644 --- a/.github/workflows/5_testunit_version.yml +++ b/.github/workflows/5_testunit_version.yml @@ -1,4 +1,6 @@ name: (5.x) Check version file +permissions: + contents: read on: push: diff --git a/.github/workflows/6_builderpackage_indexer.yml b/.github/workflows/6_builderpackage_indexer.yml index 3fe629d3095..d08d9e13e07 100644 --- a/.github/workflows/6_builderpackage_indexer.yml +++ b/.github/workflows/6_builderpackage_indexer.yml @@ -1,5 +1,7 @@ run-name: Build ${{ inputs.distribution }} Wazuh Indexer on ${{ inputs.architecture }} | ${{ inputs.id }} name: (6.x) Build packages +permissions: + contents: read # This workflow runs when any of the following occur: # - Run manually diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index fcf50384642..747554a0979 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -3,6 +3,8 @@ on: schedule: - cron: "00 8 * * 5" +permissions: + contents: read jobs: linkchecker: runs-on: ubuntu-24.04 diff --git a/CHANGELOG.md b/CHANGELOG.md index e2cd626b53b..c28d3323e61 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,5 +62,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Reduce risk of GITHUB_TOKEN exposure [(#960)](https://github.com/wazuh/wazuh-indexer/pull/960) - Use latest Amazon Linux 2023 Docker image [(#1182)](https://github.com/wazuh/wazuh-indexer/pull/1182) - Update CodeQL configuration [(#1220)](https://github.com/wazuh/wazuh-indexer/pull/1220) +- Potential fix for code scanning alerts: Workflow does not contain permissions [(#1234)](https://github.com/wazuh/wazuh-indexer/pull/1234) [Unreleased 5.0.0]: https://github.com/wazuh/wazuh-indexer/compare/4.14.1...5.0.0