[ADMINAPI-993] Token Permissions Fixes (#121)

* [ADMINAPI-993] Incorporate OSSF scorecard * [ADMINAPI-993] Add workflow permissions, Fix token * [ADMINAPI-993] Adding dependabot file
Ed-Fi-Alliance-OSS · May 2, 2024 · fd7cbfe · fd7cbfe
1 parent 819c869
commit fd7cbfe
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 0 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,12 @@
+# SPDX-License-Identifier: Apache-2.0
+# Licensed to the Ed-Fi Alliance under one or more agreements.
+# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
+# See the LICENSE and NOTICES files in the project root for more information.
+
+version: 2
+updates:
+  - package-ecosystem: nuget
+    directory: Application/
+    target-branch: main
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/api-e2e.yml b/.github/workflows/api-e2e.yml
@@ -25,6 +25,8 @@ env:
   FOLDER_NAME: "API Automation Run"
   RESULTS_FILE: "test-results"
 
+permissions: read-all
+
 jobs:
   run-e2e-tests:
     defaults:

diff --git a/.github/workflows/on-merge-or-tag.yml b/.github/workflows/on-merge-or-tag.yml
@@ -15,6 +15,8 @@ env:
   API_URL: https://api.github.com/repos/${{ github.repository }}
   TOKEN: ${{ secrets.EDFI_BUILD_AGENT_PAT }}
 
+permissions: read-all
+
 jobs:
   create-pre-releases:
     name: Create Pre-Releases

diff --git a/.github/workflows/on-prerelease.yml b/.github/workflows/on-prerelease.yml
@@ -21,6 +21,8 @@ env:
   DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
   REF: ${{ github.ref_name }}
 
+permissions: read-all
+
 jobs:
   pack:
     name: Build and Pack

diff --git a/.github/workflows/on-pullrequest-dockerfile.yml b/.github/workflows/on-pullrequest-dockerfile.yml
@@ -21,6 +21,8 @@ env:
   DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }}
   DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
 
+permissions: read-all
+
 jobs:
   docker-analysis:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/on-pullrequest.yml b/.github/workflows/on-pullrequest.yml
@@ -21,6 +21,8 @@ on:
       - ".github/**/*.yml"
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   # TODO: restore this with AA-1601
   # run-ps-lint:

diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
@@ -15,6 +15,8 @@ env:
   RELEASE_VIEW_ID: "53acfbeb-77f2-4ef6-8596-dc19e5802775" #Release
   ARTIFACTS_USERNAME: ${{ secrets.AZURE_ARTIFACTS_USER_NAME }}
 
+permissions: read-all
+
 jobs:
   delete-pre-releases:
     name: Delete Unnecessary Pre-Releases