Merge pull request #3135 from sashashura/patch-2

GitHub Workflows security hardening

.github/workflows/ci.yml

@@ -6,9 +6,16 @@ on:
   pull_request:
     branches: [ master ]
 
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
 
   build:
+    permissions:
+      contents: read  #  to fetch code (actions/checkout)
+      checks: write  #  to create a new check based on the results (shogo82148/actions-goveralls)
+
     name: Build
     runs-on: ubuntu-latest
     steps:

.github/workflows/docs.yml

@@ -5,8 +5,12 @@ on:
     tags:
       - "v*"
 
+permissions: {}
 jobs:
   release_docs:
+    permissions:
+      contents: write  #  for mike to push
+
     name: Release Docs
     runs-on: ubuntu-latest
     steps:

.github/workflows/release-chart.yaml

@@ -7,8 +7,13 @@ on:
     paths:
       - "charts/external-dns/Chart.yaml"
 
+permissions: {}
 jobs:
   release:
+
+    permissions:
+      contents: write  #  to push chart release and create a release (helm/chart-releaser-action)
+
     if: github.repository == 'kubernetes-sigs/external-dns'
     runs-on: ubuntu-latest
     defaults:

.github/workflows/trivy.yml

@@ -1,6 +1,10 @@
 name: trivy vulnerability scanner
 on:
   push:
+
+permissions:
+  contents: read  #  to fetch code (actions/checkout)
+
 jobs:
   build:
     name: Build