🌱 harden git workflows

.github/workflows/code-scanning.yaml

@@ -23,11 +23,14 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 360
     permissions:
+      contents: read
       security-events: write
       packages: read
     steps:
     - name: Checkout repository
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false
 
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v4

.github/workflows/config-checks.yaml

@@ -18,13 +18,18 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   helm-lint:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Install Helm
         uses: azure/setup-helm@v5.0.0
         id: install
@@ -36,6 +41,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Get Golang version
         id: vars
         run: |
@@ -53,6 +60,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Get Golang version
         id: vars
         run: |

.github/workflows/coverage.yaml

@@ -29,6 +29,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Get Golang version
         id: vars
         run: |

.github/workflows/e2e-tests.yaml

@@ -82,6 +82,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
       - name: Download values override file
         if: ${{ inputs.use_values_override }}
         uses: actions/download-artifact@v8
@@ -148,6 +150,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
       - name: Download values override file
         if: ${{ inputs.use_values_override }}
         uses: actions/download-artifact@v8

.github/workflows/forward-compatibility.yaml

@@ -33,6 +33,8 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Install regctl
         uses: regclient/actions/regctl-installer@148669fe4b19151fcab6e00c6df2db43b9e2b097

.github/workflows/golang-checks.yaml

@@ -28,6 +28,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Checkout code
+        with:
+          persist-credentials: false
       - name: Get Golang version
         id: vars
         run: |
@@ -63,6 +65,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Get Golang version
         id: vars
         run: |
@@ -89,4 +93,6 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Checkout code
+        with:
+          persist-credentials: false
       - run: make docker-build

.github/workflows/image-builds.yaml

@@ -86,6 +86,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v4
         with:
@@ -118,6 +120,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v4
         with:
@@ -146,6 +150,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v4
         with:
@@ -163,4 +169,3 @@ jobs:
             ${OPERATOR_IMAGE_AMD} \
             ${OPERATOR_IMAGE_ARM}
           docker manifest push ${OPERATOR_MULTIARCH_IMAGE}
-

.github/workflows/publish-helm-oci-chart.yaml

@@ -39,6 +39,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@v5.0.0

.github/workflows/release-image-list.yaml

@@ -34,6 +34,7 @@ jobs:
         name: Check out code
         with:
           ref: ${{ github.event.release.tag_name }}
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -66,6 +67,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
       - name: Download image list artifact
         uses: actions/download-artifact@v8
         with:

.github/workflows/release.yaml

@@ -68,6 +68,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+        with:
+          persist-credentials: false
       - name: Install regctl
         uses: regclient/actions/regctl-installer@148669fe4b19151fcab6e00c6df2db43b9e2b097
         with:
@@ -91,6 +93,8 @@ jobs:
     steps:
       - uses: actions/checkout@v6
         name: Check out code
+          with:
+          persist-credentials: false
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v4
         with:

.github/workflows/stale.yaml

@@ -5,12 +5,14 @@ on:
   schedule:
     - cron: "21 4 * * *"
 
+permissions: {}
+
 jobs:
   stale:
     permissions:
-      actions: write
       issues: write
     runs-on: ubuntu-latest
+    timeout-minutes: 10
 
     steps:
       - uses: actions/stale@v10