chore(ci): harden GitHub Actions workflow permissions (#2370)

phipag · web-flow · commit 61fd80a6c5da · 2026-01-29T12:46:23.000Z
diff --git a/.github/workflows/build-docs.yml b/.github/workflows/build-docs.yml
@@ -23,12 +23,14 @@ on:
 name: Build Latest Docs
 run-name: Build Latest Docs - ${{ inputs.version }}
 
+permissions: {}
+
 jobs:
   docs:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      id-token: write
+      contents: read   # checkout repository
+      id-token: write  # OIDC for AWS credentials
     environment: Docs
     steps:
       - name: Checkout Repository
diff --git a/.github/workflows/check-pmd.yml b/.github/workflows/check-pmd.yml
@@ -18,15 +18,13 @@ on:
 name: PMD
 run-name: PMD - ${{ github.event_name }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   pmd_analyse:
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      id-token: write
+      contents: read  # checkout repository
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -39,4 +37,4 @@ jobs:
       - uses: pmd/pmd-github-action@d9c1f3c5940cbf5923f1354e83fa858b4496ebaa # v2.0.0
         with:
           rulesets: '.github/pmd-ruleset.xml'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -14,14 +14,15 @@ on:
 name: Release Drafter
 run-name: Release Drafter
 
+permissions: {}
+
 jobs:
   update_release:
     runs-on: ubuntu-latest  
     permissions:
-      contents: write
-      id-token: write
+      contents: write  # required for creating draft releases
     steps:
       - name: Relase Drafter
         uses: release-drafter/release-drafter@6db134d15f3909ccc9eefd369f02bd1e9cffdf97
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -55,8 +55,7 @@ on:
 name: Release
 run-name: Release – ${{ inputs.version }}
 
-permissions:
-  contents: read
+permissions: {}
 
 env:
   RELEASE_COMMIT: ${{ github.sha }}
@@ -98,6 +97,8 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - setup
+    permissions:
+      contents: read  # checkout repository
     outputs:
       source_hash: ${{ steps.upload_source.outputs.artifact-digest }}
     steps:
@@ -128,8 +129,7 @@ jobs:
       - version_seal
     if: ${{ inputs.skip_checks == false }}
     permissions:
-      contents: write
-      id-token: write
+      contents: read  # checkout and run tests
     steps:
       - id: download_source
         name: Download artifacts
@@ -162,6 +162,8 @@ jobs:
       - quality
       - version_seal
     if: ${{ always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
+    permissions:
+      contents: read  # download artifacts
     strategy:
       matrix:
         java: ${{ fromJson(needs.setup.outputs.build_matrix) }}
@@ -187,6 +189,8 @@ jobs:
     if: ${{ github.repository == 'aws-powertools/powertools-lambda-java' && inputs.skip_publish == false && always() && !contains(needs.*.result, 'failure') && !contains(needs.*.result, 'cancelled') }}
     needs:
       - build
+    permissions:
+      contents: read  # download artifacts
     environment: Release
     steps:
       - id: download_source
@@ -219,8 +223,8 @@ jobs:
       - build
       - publish
     permissions:
-      pull-requests: write
-      contents: write
+      contents: write      # create tag and branch
+      pull-requests: write # create PR
     steps:
       - id: checkout
         name: Checkout repository
@@ -266,8 +270,8 @@ jobs:
     needs:
       - create_pr
     permissions:
-      contents: read
-      id-token: write
+      contents: read   # checkout repository
+      id-token: write  # OIDC for AWS credentials
     environment: Docs
     steps:
       - id: checkout
diff --git a/.github/workflows/security-dependencies-check.yml b/.github/workflows/security-dependencies-check.yml
@@ -13,15 +13,14 @@ on:
 name: Verify Dependencies
 run-name: Verify Dependencies – ${{ github.event_name }}
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   verify:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: write
+      contents: read       # checkout repository and read dependency snapshots
+      pull-requests: write # post review comments
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/security-scorecard.yml b/.github/workflows/security-scorecard.yml
@@ -23,16 +23,17 @@ on:
 name: OpenSSF Scorecard
 run-name: OpenSSF Scorecard
 
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     environment: Security
     permissions:
-      security-events: write  
-      id-token: write
+      contents: read        # checkout repository
+      security-events: write  # upload SARIF results
+      id-token: write       # OIDC authentication
     steps:
       - name: Checkout Repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProduct.java b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProduct.java
diff --git a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOrBuilder.java b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOrBuilder.java
diff --git a/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOuterClass.java b/examples/powertools-examples-kafka/src/main/java/org/demo/kafka/protobuf/ProtobufProductOuterClass.java
