spiffe · amartinezfayo · Jan 12, 2023 · Dec 20, 2022 · Dec 20, 2022 · Dec 22, 2022
diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml
@@ -1,12 +1,13 @@
 name: 'Dependency Review'
 on: [pull_request]
 
-permissions:
-  contents: read
-
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v3

@@ -4,19 +4,29 @@ on:
     # Random minute number to avoid GH scheduler stampede
     - cron: '37 21 * * *'
   workflow_dispatch: {}
-permissions:
-  contents: read
-  packages: write
 
 env:
   NIGHTLY: true
 
 jobs:
   build-and-publish-images:
     runs-on: ubuntu-20.04
+
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    env:
+      COSIGN_EXPERIMENTAL: 1
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-        uses: actions/checkout@v3
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+      - name: Install cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: v1.13.1
       - name: Build images
         run: make images scratch-images
       - name: Log in to GCR

diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
@@ -11,6 +11,10 @@ jobs:
   cache-deps:
     name: cache-deps (linux)
     runs-on: ubuntu-20.04
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -30,6 +34,10 @@ jobs:
     name: lint (linux)
     runs-on: ubuntu-20.04
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -64,6 +72,10 @@ jobs:
         OS: [ubuntu-20.04, macos-latest]
     runs-on: ${{ matrix.OS }}
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -83,6 +95,10 @@ jobs:
     name: unit-test (linux with race detection)
     runs-on: ubuntu-20.04
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -102,6 +118,10 @@ jobs:
     name: artifacts (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -133,6 +153,10 @@ jobs:
     name: images (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -166,6 +190,10 @@ jobs:
     name: images (windows)
     runs-on: windows-2022
     needs: artifact-windows
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -189,6 +217,10 @@ jobs:
   scratch-images:
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -222,6 +254,10 @@ jobs:
     name: integration (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps, images, scratch-images]
+
+    permissions:
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -278,6 +314,10 @@ jobs:
     name: integration (windows)
     runs-on: windows-2022
     needs: images-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -325,6 +365,10 @@ jobs:
   cache-deps-windows:
     name: cache-deps (windows)
     runs-on: windows-2022
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -344,6 +388,10 @@ jobs:
     name: lint (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -387,6 +435,10 @@ jobs:
     name: unit-test (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -419,6 +471,10 @@ jobs:
     name: artifact (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}

@@ -9,6 +9,10 @@ jobs:
   cache-deps:
     name: cache-deps (linux)
     runs-on: ubuntu-20.04
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -28,6 +32,10 @@ jobs:
     name: lint (linux)
     runs-on: ubuntu-20.04
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -62,6 +70,10 @@ jobs:
         OS: [ubuntu-20.04, macos-latest]
     runs-on: ${{ matrix.OS }}
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -81,6 +93,10 @@ jobs:
     name: unit-test (linux with race detection)
     runs-on: ubuntu-20.04
     needs: cache-deps
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -100,6 +116,10 @@ jobs:
     name: artifacts (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -131,6 +151,10 @@ jobs:
     name: images (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -164,6 +188,10 @@ jobs:
     name: images (windows)
     runs-on: windows-2022
     needs: artifact-windows
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -187,6 +215,10 @@ jobs:
   scratch-images:
     runs-on: ubuntu-20.04
     needs: [cache-deps]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -220,6 +252,10 @@ jobs:
     name: integration (linux)
     runs-on: ubuntu-20.04
     needs: [cache-deps, images, scratch-images]
+
+    permissions:
+      contents: read
+
     strategy:
       fail-fast: false
       matrix:
@@ -287,6 +323,10 @@ jobs:
     name: integration (windows)
     runs-on: windows-2022
     needs: images-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -334,6 +374,10 @@ jobs:
   cache-deps-windows:
     name: cache-deps (windows)
     runs-on: windows-2022
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -353,6 +397,10 @@ jobs:
     name: lint (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -396,6 +444,10 @@ jobs:
     name: unit-test (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -428,6 +480,10 @@ jobs:
     name: artifact (windows)
     runs-on: windows-2022
     needs: cache-deps-windows
+
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: msys2 {0}
@@ -478,6 +534,10 @@ jobs:
     runs-on: ubuntu-20.04
     needs: [lint, unit-test, unit-test-race-detector, artifacts, integration,
             lint-windows, unit-test-windows, artifact-windows, integration-windows]
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -501,9 +561,22 @@ jobs:
   publish-images:
     runs-on: ubuntu-20.04
     needs: [lint, unit-test, unit-test-race-detector, artifacts, integration]
+
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    env:
+      COSIGN_EXPERIMENTAL: 1
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Install cosign
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: v1.13.1
       - name: Download archived images
         uses: actions/download-artifact@v3
         with: