From f9a61e32f90a3d7dcb49c84128c3da3a17ff8bcd Mon Sep 17 00:00:00 2001 From: eskwor Date: Wed, 25 Mar 2026 08:24:58 +0100 Subject: [PATCH 01/25] Hardening GITHUB_TOKEN permissions --- .github/workflows/ci-docker-build-publish-image.yml | 4 ++++ .github/workflows/ci-quarkus-build-publish-image.yml | 4 ++++ .github/workflows/ci-spring-boot-build-publish-image.yml | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/ci-docker-build-publish-image.yml b/.github/workflows/ci-docker-build-publish-image.yml index e1cb28b1..45dda8bb 100644 --- a/.github/workflows/ci-docker-build-publish-image.yml +++ b/.github/workflows/ci-docker-build-publish-image.yml @@ -1,4 +1,8 @@ name: Build/publish Docker image +permissions: + contents: write + id-token: write + packages: read on: workflow_call: diff --git a/.github/workflows/ci-quarkus-build-publish-image.yml b/.github/workflows/ci-quarkus-build-publish-image.yml index 1f7dea59..fa8faeaa 100644 --- a/.github/workflows/ci-quarkus-build-publish-image.yml +++ b/.github/workflows/ci-quarkus-build-publish-image.yml @@ -1,4 +1,8 @@ name: Build/publish Docker image +permissions: + contents: write + id-token: write + packages: read on: workflow_call: diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index 4bbb8b6b..853fb8aa 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -1,4 +1,8 @@ name: Build and publish Docker image +permissions: + contents: write + id-token: write + packages: read on: workflow_call: From 424aee6d4ed538e9075fa9fa137ccfecaf2dfce1 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Wed, 25 Mar 2026 09:56:18 +0100 Subject: [PATCH 02/25] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index b26434eb..2c315e21 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # github-workflows + ## Spring boot application workflows Build application on PR creation: [ci-maven-build.yml](.github/workflows/ci-maven-build.yml) From 4e0c6517b3f5431a4a41876d2a06ae8690ff1b65 Mon Sep 17 00:00:00 2001 From: eskwor Date: Wed, 25 Mar 2026 16:01:44 +0100 Subject: [PATCH 03/25] Test --- .github/workflows/ci-spring-boot-build-publish-image.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index 853fb8aa..468ac5f0 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -1,8 +1,5 @@ name: Build and publish Docker image -permissions: - contents: write - id-token: write - packages: read +permissions: {} on: workflow_call: @@ -133,6 +130,7 @@ on: jobs: inputs-to-summary: + permissions: {} runs-on: ubuntu-latest steps: - name: "Write inputs to summary" @@ -325,6 +323,7 @@ jobs: image: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }} notify-on-errors: + permissions: {} runs-on: ubuntu-latest needs: [build-publish-image] if: always() && contains(needs.*.result, 'failure') From 02a38b3848d5fa21e1cd044f8437e7db691e8545 Mon Sep 17 00:00:00 2001 From: eskwor Date: Wed, 25 Mar 2026 16:22:20 +0100 Subject: [PATCH 04/25] Test --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 2c315e21..b26434eb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,5 @@ # github-workflows - ## Spring boot application workflows Build application on PR creation: [ci-maven-build.yml](.github/workflows/ci-maven-build.yml) From 552a9072aa4ae23f3cdce772634e30c4a2afda51 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Wed, 25 Mar 2026 16:30:02 +0100 Subject: [PATCH 05/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index d4e45eb2..0b4e143a 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -179,7 +179,7 @@ jobs: run-spring-boot-build: needs: input-checks if: inputs.application-type == 'spring-boot' - uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@hardening-gh-token-permissions with: image-name: ${{ inputs.image-name }} image-pack: ${{ inputs.image-pack }} From a052abd91685cd455cc4abb55dd070d21c1a90b9 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Wed, 25 Mar 2026 19:19:41 +0100 Subject: [PATCH 06/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index 0b4e143a..93cc8f36 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -1,4 +1,5 @@ name: Build and publish Docker image +permissions: {} on: workflow_call: From 12ce672870168ace667515f7fa625f38c91d475d Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Wed, 25 Mar 2026 19:24:15 +0100 Subject: [PATCH 07/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index 93cc8f36..62bc2278 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -1,5 +1,8 @@ name: Build and publish Docker image -permissions: {} +permissions: + contents: write + packages: write + id-token: write on: workflow_call: From 5d72dfb5c56d56872c386b4c6a3ce80c8f99f6f4 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Wed, 25 Mar 2026 19:31:53 +0100 Subject: [PATCH 08/25] Update ci-spring-boot-build-publish-image.yml --- .github/workflows/ci-spring-boot-build-publish-image.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index 468ac5f0..af3af059 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -140,16 +140,11 @@ jobs: title: "Inputs" build-publish-image: + permissions: {} runs-on: ubuntu-latest outputs: image-tag: ${{ steps.set-image-tag.outputs.image-tag }} image-digest: ${{ steps.set-image-digest.outputs.image-digest }} - - permissions: - id-token: write - contents: write - packages: write - steps: - name: Set image tag id: set-image-tag From 6eadb2e6c3340710f6951c60889c488fe826fd8a Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Wed, 25 Mar 2026 21:09:23 +0100 Subject: [PATCH 09/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index 62bc2278..0b4e143a 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -1,8 +1,4 @@ name: Build and publish Docker image -permissions: - contents: write - packages: write - id-token: write on: workflow_call: From 12fd4ee27615dd2ff800e2dcb29799b9ac8c4969 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Wed, 25 Mar 2026 21:10:28 +0100 Subject: [PATCH 10/25] Update ci-spring-boot-build-publish-image.yml --- .github/workflows/ci-spring-boot-build-publish-image.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index af3af059..be66c7d4 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -140,7 +140,10 @@ jobs: title: "Inputs" build-publish-image: - permissions: {} + permissions: + contents: write + packages: write + id-token: write runs-on: ubuntu-latest outputs: image-tag: ${{ steps.set-image-tag.outputs.image-tag }} From 0c945a6f2dc7ed40405650396a754fb9d1b702fc Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 11:38:39 +0100 Subject: [PATCH 11/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index 0b4e143a..93cc8f36 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -1,4 +1,5 @@ name: Build and publish Docker image +permissions: {} on: workflow_call: From 6c9fb9bdc9a4d8fedead8c434645fae6ae8901be Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 11:45:38 +0100 Subject: [PATCH 12/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index 93cc8f36..f8c96869 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -176,8 +176,11 @@ jobs: else echo "Invalid lifecycle type. Supported types are: \`deployment\`, and \`development\`" >> "$GITHUB_STEP_SUMMARY" fi - run-spring-boot-build: + permissions: + contents: write + packages: write + id-token: write needs: input-checks if: inputs.application-type == 'spring-boot' uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@hardening-gh-token-permissions From 447500df948d538b975c373b1cceb41f519aae44 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 11:50:46 +0100 Subject: [PATCH 13/25] Update ci-spring-boot-build-publish-image.yml --- .github/workflows/ci-spring-boot-build-publish-image.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index be66c7d4..f8140731 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -140,10 +140,6 @@ jobs: title: "Inputs" build-publish-image: - permissions: - contents: write - packages: write - id-token: write runs-on: ubuntu-latest outputs: image-tag: ${{ steps.set-image-tag.outputs.image-tag }} From eb9ec055af3385b2319a26a5ba2b7de5b36ba569 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 11:54:19 +0100 Subject: [PATCH 14/25] Update ci-quarkus-build-publish-image.yml --- .github/workflows/ci-quarkus-build-publish-image.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci-quarkus-build-publish-image.yml b/.github/workflows/ci-quarkus-build-publish-image.yml index fa8faeaa..bda66862 100644 --- a/.github/workflows/ci-quarkus-build-publish-image.yml +++ b/.github/workflows/ci-quarkus-build-publish-image.yml @@ -116,6 +116,10 @@ jobs: title: "Inputs" build-publish-image: + permissions: + id-token: write + contents: write + packages: write runs-on: ubuntu-latest env: From 7cc4c30c9964cb3e79b880483d5e80854341e786 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 12:01:03 +0100 Subject: [PATCH 15/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index f8c96869..c19f8b39 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -177,10 +177,6 @@ jobs: echo "Invalid lifecycle type. Supported types are: \`deployment\`, and \`development\`" >> "$GITHUB_STEP_SUMMARY" fi run-spring-boot-build: - permissions: - contents: write - packages: write - id-token: write needs: input-checks if: inputs.application-type == 'spring-boot' uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@hardening-gh-token-permissions @@ -214,7 +210,7 @@ jobs: run-quarkus-build: needs: input-checks if: inputs.application-type == 'quarkus' - uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-build-publish-image.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-build-publish-image.yml@hardening-gh-token-permissions with: image-name: ${{ inputs.image-name }} image-pack: ${{ inputs.image-pack }} @@ -239,7 +235,7 @@ jobs: run-docker-build: needs: input-checks if: inputs.application-type == 'docker' - uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@main + uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@hardening-gh-token-permissions with: image-name: ${{ inputs.image-name }} image-signing: ${{ inputs.image-signing }} From 4e9e6b3030ded7903f3c1c8d65dee6ee62a6c55b Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 12:03:52 +0100 Subject: [PATCH 16/25] Update ci-quarkus-build-publish-image.yml --- .github/workflows/ci-quarkus-build-publish-image.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-quarkus-build-publish-image.yml b/.github/workflows/ci-quarkus-build-publish-image.yml index bda66862..75248120 100644 --- a/.github/workflows/ci-quarkus-build-publish-image.yml +++ b/.github/workflows/ci-quarkus-build-publish-image.yml @@ -1,8 +1,5 @@ name: Build/publish Docker image -permissions: - contents: write - id-token: write - packages: read +permissions: {} on: workflow_call: @@ -119,7 +116,7 @@ jobs: permissions: id-token: write contents: write - packages: write + runs-on: ubuntu-latest env: From fb302444bd6f4677ba35c18589592ea24f65a027 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 12:07:31 +0100 Subject: [PATCH 17/25] Update ci-quarkus-build-publish-image.yml --- .github/workflows/ci-quarkus-build-publish-image.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci-quarkus-build-publish-image.yml b/.github/workflows/ci-quarkus-build-publish-image.yml index 75248120..d0007bb2 100644 --- a/.github/workflows/ci-quarkus-build-publish-image.yml +++ b/.github/workflows/ci-quarkus-build-publish-image.yml @@ -127,10 +127,6 @@ jobs: imagetag: ${{ steps.output-image-tag.outputs.imagetag }} imagedigest: ${{ steps.output-image-digest.outputs.imagedigest }} - permissions: - id-token: write - contents: write - steps: - name: Set imagetag as env variable run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV" From 67f63d5243bbdcaac127fec23c7329526730101c Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 12:16:20 +0100 Subject: [PATCH 18/25] Update ci-quarkus-build-publish-image.yml --- .github/workflows/ci-quarkus-build-publish-image.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci-quarkus-build-publish-image.yml b/.github/workflows/ci-quarkus-build-publish-image.yml index d0007bb2..05345775 100644 --- a/.github/workflows/ci-quarkus-build-publish-image.yml +++ b/.github/workflows/ci-quarkus-build-publish-image.yml @@ -1,5 +1,4 @@ name: Build/publish Docker image -permissions: {} on: workflow_call: @@ -113,9 +112,6 @@ jobs: title: "Inputs" build-publish-image: - permissions: - id-token: write - contents: write runs-on: ubuntu-latest From c4e129d39bb04325e3b51271a76fb5fb5a849adb Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 12:17:43 +0100 Subject: [PATCH 19/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index c19f8b39..97b5133f 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -208,6 +208,9 @@ jobs: secrets: inherit run-quarkus-build: + permissions: + id-token: write + contents: write needs: input-checks if: inputs.application-type == 'quarkus' uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-build-publish-image.yml@hardening-gh-token-permissions From 573d441b697d7ff28c76582d0be3aaedc9ece309 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 12:20:40 +0100 Subject: [PATCH 20/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index 97b5133f..e61587ab 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -236,6 +236,9 @@ jobs: secrets: inherit run-docker-build: + permissions: + id-token: write + contents: write needs: input-checks if: inputs.application-type == 'docker' uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@hardening-gh-token-permissions From 76f24e8e71cf18ba01d45ff3859fcc295e8ddf31 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Thu, 26 Mar 2026 12:21:31 +0100 Subject: [PATCH 21/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index e61587ab..45798fb3 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -239,6 +239,7 @@ jobs: permissions: id-token: write contents: write + packages: read needs: input-checks if: inputs.application-type == 'docker' uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@hardening-gh-token-permissions From 7c82aab719b104f263cd1df0c6c29923a035b482 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Fri, 27 Mar 2026 06:19:22 +0100 Subject: [PATCH 22/25] Update ci-spring-boot-build-publish-image.yml --- .github/workflows/ci-spring-boot-build-publish-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index f8140731..af3af059 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -140,6 +140,7 @@ jobs: title: "Inputs" build-publish-image: + permissions: {} runs-on: ubuntu-latest outputs: image-tag: ${{ steps.set-image-tag.outputs.image-tag }} From 110e675b680d6770c593cc7bfbf3b8f842ceb722 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Fri, 27 Mar 2026 06:21:41 +0100 Subject: [PATCH 23/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index 45798fb3..cafbb819 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -139,6 +139,7 @@ on: jobs: inputs-to-summary: + permissions: {} runs-on: ubuntu-latest steps: - name: "Write inputs to summary" @@ -148,6 +149,7 @@ jobs: title: "Inputs" input-checks: + permissions: {} runs-on: ubuntu-latest outputs: container-registry: ${{ steps.set-container-registry.outputs.container-registry }} @@ -177,6 +179,10 @@ jobs: echo "Invalid lifecycle type. Supported types are: \`deployment\`, and \`development\`" >> "$GITHUB_STEP_SUMMARY" fi run-spring-boot-build: + permissions: + id-token: write + contents: write + packages: write needs: input-checks if: inputs.application-type == 'spring-boot' uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@hardening-gh-token-permissions From 68e4e4ac340fcd02562e7cea59473dbe30477406 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Fri, 27 Mar 2026 08:43:55 +0100 Subject: [PATCH 24/25] Update ci-build-publish-image.yml --- .github/workflows/ci-build-publish-image.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml index cafbb819..3e3f8c9b 100644 --- a/.github/workflows/ci-build-publish-image.yml +++ b/.github/workflows/ci-build-publish-image.yml @@ -179,10 +179,6 @@ jobs: echo "Invalid lifecycle type. Supported types are: \`deployment\`, and \`development\`" >> "$GITHUB_STEP_SUMMARY" fi run-spring-boot-build: - permissions: - id-token: write - contents: write - packages: write needs: input-checks if: inputs.application-type == 'spring-boot' uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@hardening-gh-token-permissions From a71f9c70dc5607f8c8d53b25a37329c65dde6cf1 Mon Sep 17 00:00:00 2001 From: eskwor <46821259+eskwor@users.noreply.github.com> Date: Fri, 27 Mar 2026 08:44:57 +0100 Subject: [PATCH 25/25] Update ci-spring-boot-build-publish-image.yml --- .github/workflows/ci-spring-boot-build-publish-image.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml index af3af059..200e911b 100644 --- a/.github/workflows/ci-spring-boot-build-publish-image.yml +++ b/.github/workflows/ci-spring-boot-build-publish-image.yml @@ -140,7 +140,10 @@ jobs: title: "Inputs" build-publish-image: - permissions: {} + permissions: + id-token: write + contents: write + packages: write runs-on: ubuntu-latest outputs: image-tag: ${{ steps.set-image-tag.outputs.image-tag }}