From 084bdacfc3323bc6dadf700a94d8a342c11b25b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=81lex=20Ruiz=20Becerra?=
 <alejandro.ruiz.becerra@wazuh.com>
Date: Fri, 14 Nov 2025 15:30:24 +0100
Subject: [PATCH] Potential fix for code scanning alerts: Workflow does not
 contain permissions (#1234)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Álex Ruiz Becerra <alex-r-b@hotmail.com>
Signed-off-by: Jorge Sánchez <jorge.sanchez@wazuh.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Jorge Sánchez <jorge.sanchez@wazuh.com>
---
 .github/workflows/5_builderpackage_docker.yml  | 2 ++
 .github/workflows/5_builderpackage_indexer.yml | 3 +++
 .github/workflows/5_codequality_changelog.yml  | 2 ++
 .github/workflows/5_codequality_email.yml      | 2 ++
 .github/workflows/5_testunit_version.yml       | 2 ++
 .github/workflows/6_builderpackage_indexer.yml | 2 ++
 .github/workflows/links.yml                    | 2 ++
 CHANGELOG.md                                   | 1 +
 8 files changed, 16 insertions(+)

diff --git a/.github/workflows/5_builderpackage_docker.yml b/.github/workflows/5_builderpackage_docker.yml
index 1b879a254b1..8a134fe7116 100644
--- a/.github/workflows/5_builderpackage_docker.yml
+++ b/.github/workflows/5_builderpackage_docker.yml
@@ -84,6 +84,8 @@ jobs:
     secrets: inherit
 
   build-and-push-docker-image:
+    permissions:
+      contents: read
     needs: [call-build-workflow]
     runs-on: ubuntu-24.04
     env:
diff --git a/.github/workflows/5_builderpackage_indexer.yml b/.github/workflows/5_builderpackage_indexer.yml
index 0a3395d79eb..8a31b683896 100644
--- a/.github/workflows/5_builderpackage_indexer.yml
+++ b/.github/workflows/5_builderpackage_indexer.yml
@@ -1,6 +1,9 @@
 run-name: Build ${{ inputs.distribution }} Wazuh Indexer on ${{ inputs.architecture }} | ${{ inputs.id }}
 name: (5.x) Build packages
 
+permissions:
+  contents: read
+
 # This workflow runs when any of the following occur:
 # - Run manually
 # - Invoked from another workflow
diff --git a/.github/workflows/5_codequality_changelog.yml b/.github/workflows/5_codequality_changelog.yml
index 0aa2cd52295..49386ea9e0b 100644
--- a/.github/workflows/5_codequality_changelog.yml
+++ b/.github/workflows/5_codequality_changelog.yml
@@ -3,6 +3,8 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
 
+permissions:
+  contents: read
 jobs:
   # Enforces the update of a changelog file on every pull request
   verify-changelog:
diff --git a/.github/workflows/5_codequality_email.yml b/.github/workflows/5_codequality_email.yml
index 0540d7fb2c1..185816e6096 100644
--- a/.github/workflows/5_codequality_email.yml
+++ b/.github/workflows/5_codequality_email.yml
@@ -1,4 +1,6 @@
 name: (5.x) Check email
+permissions:
+  contents: read
 on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review, labeled, unlabeled]
diff --git a/.github/workflows/5_testunit_version.yml b/.github/workflows/5_testunit_version.yml
index 7cd0f9cbe5f..28945aad6da 100644
--- a/.github/workflows/5_testunit_version.yml
+++ b/.github/workflows/5_testunit_version.yml
@@ -1,4 +1,6 @@
 name: (5.x) Check version file
+permissions:
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/6_builderpackage_indexer.yml b/.github/workflows/6_builderpackage_indexer.yml
index 3fe629d3095..d08d9e13e07 100644
--- a/.github/workflows/6_builderpackage_indexer.yml
+++ b/.github/workflows/6_builderpackage_indexer.yml
@@ -1,5 +1,7 @@
 run-name: Build ${{ inputs.distribution }} Wazuh Indexer on ${{ inputs.architecture }} | ${{ inputs.id }}
 name: (6.x) Build packages
+permissions:
+  contents: read
 
 # This workflow runs when any of the following occur:
 # - Run manually
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index fcf50384642..747554a0979 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -3,6 +3,8 @@ on:
   schedule:
     - cron: "00 8 * * 5"
 
+permissions:
+  contents: read
 jobs:
   linkchecker:
     runs-on: ubuntu-24.04
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e2cd626b53b..c28d3323e61 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -62,5 +62,6 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Reduce risk of GITHUB_TOKEN exposure [(#960)](https://github.com/wazuh/wazuh-indexer/pull/960)
 - Use latest Amazon Linux 2023 Docker image [(#1182)](https://github.com/wazuh/wazuh-indexer/pull/1182)
 - Update CodeQL configuration [(#1220)](https://github.com/wazuh/wazuh-indexer/pull/1220)
+- Potential fix for code scanning alerts: Workflow does not contain permissions [(#1234)](https://github.com/wazuh/wazuh-indexer/pull/1234)
 
 [Unreleased 5.0.0]: https://github.com/wazuh/wazuh-indexer/compare/4.14.1...5.0.0