From cbc9fb31a2d822f53f048edaf35603dc78ee6498 Mon Sep 17 00:00:00 2001
From: Jonas Israel <jonas.israel@sap.com>
Date: Tue, 26 May 2026 14:22:05 +0200
Subject: [PATCH] chore: Set permissions for GH workflows explicitly

---
 .github/workflows/blackduck.yaml              |  6 ++++++
 .github/workflows/continuous-integration.yaml | 21 +++++++++++++++++++
 .github/workflows/dependabot-automerge.yaml   |  2 ++
 .github/workflows/deploy-snapshot.yaml        |  2 ++
 .github/workflows/fosstars-report.yml         |  2 ++
 .github/workflows/javadoc.yaml                |  2 ++
 .github/workflows/prepare-release.yaml        |  8 +++++++
 .github/workflows/reuse.yaml                  |  2 ++
 8 files changed, 45 insertions(+)

diff --git a/.github/workflows/blackduck.yaml b/.github/workflows/blackduck.yaml
index 7481568db..441bd592e 100644
--- a/.github/workflows/blackduck.yaml
+++ b/.github/workflows/blackduck.yaml
@@ -5,10 +5,14 @@ on:
   schedule:
     - cron: 0 23 * * *
 
+permissions: {}
+
 jobs:
   scan:
     name: "Blackduck Scan"
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: actions/checkout@v6
@@ -19,6 +23,8 @@ jobs:
 
   notify-job:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     needs: [ scan ]
     if: ${{ failure() && github.ref == 'refs/heads/main' }}
     steps:
diff --git a/.github/workflows/continuous-integration.yaml b/.github/workflows/continuous-integration.yaml
index 9337ad275..33be3b4f3 100644
--- a/.github/workflows/continuous-integration.yaml
+++ b/.github/workflows/continuous-integration.yaml
@@ -50,12 +50,16 @@ env:
   MVN_SINGLE_THREADED_ARGS: --batch-mode --no-transfer-progress --fail-at-end --show-version --threads 1
   MVN_SKIP_CI_PLUGINS: -DskipFormatting -Denforcer.skip -Djacoco.skip -Dmdep.analyze.skip
 
+permissions: {}
+
 jobs:
   context:
     name: "Collect Context"
     outputs:
       commit: ${{ steps.calculate-commit-sha.outputs.COMMIT }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Calculate Commit SHA"
         id: calculate-commit-sha
@@ -79,6 +83,8 @@ jobs:
     name: "Check Formatting"
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v6
@@ -106,6 +112,8 @@ jobs:
     name: "Build"
     needs: [ context, check-formatting ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # upload-artifacts does not use github-token
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -160,6 +168,8 @@ jobs:
     name: "Test"
     needs: [ context, build ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -202,6 +212,8 @@ jobs:
   static-code-analysis:
     needs: [ context, build ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       matrix:
         task:
@@ -262,6 +274,9 @@ jobs:
     name: "Run CodeQL Analysis"
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write # needed for Perform CodeQL Analysis
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -301,6 +316,8 @@ jobs:
   test-archetypes:
     runs-on: ubuntu-latest
     needs: [ context, build ]
+    permissions:
+      contents: read
     strategy:
       matrix:
         task:
@@ -396,6 +413,8 @@ jobs:
     if: ${{ github.event.inputs.run-blackduck-scan == 'true' }}
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
@@ -412,6 +431,8 @@ jobs:
     if: ${{ github.event.inputs.run-security-rating == 'true' }}
     needs: [ context ]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for Run FOSStars Rating
     steps:
       - name: "Checkout repository"
         uses: actions/checkout@v6
diff --git a/.github/workflows/dependabot-automerge.yaml b/.github/workflows/dependabot-automerge.yaml
index 7b877725c..a7965c263 100644
--- a/.github/workflows/dependabot-automerge.yaml
+++ b/.github/workflows/dependabot-automerge.yaml
@@ -14,6 +14,8 @@ env:
 jobs:
   review-prs:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
     steps:
       - name: Checkout
         uses: actions/checkout@v6
diff --git a/.github/workflows/deploy-snapshot.yaml b/.github/workflows/deploy-snapshot.yaml
index 454d5a51b..23563737c 100644
--- a/.github/workflows/deploy-snapshot.yaml
+++ b/.github/workflows/deploy-snapshot.yaml
@@ -9,6 +9,8 @@ jobs:
   deploy-snapshot:
     name: Deploy Snapshot
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@v6
diff --git a/.github/workflows/fosstars-report.yml b/.github/workflows/fosstars-report.yml
index db6fa5aef..0dd3fe0fc 100644
--- a/.github/workflows/fosstars-report.yml
+++ b/.github/workflows/fosstars-report.yml
@@ -8,6 +8,8 @@ jobs:
   create_fosstars_report:
     runs-on: ubuntu-latest
     name: "Security rating"
+    permissions:
+      contents: write # needed to push to branch
     steps:
       - uses: actions/checkout@v6
       - uses: SAP/fosstars-rating-core-action@v1.14.0
diff --git a/.github/workflows/javadoc.yaml b/.github/workflows/javadoc.yaml
index 59d03bc6a..199ba9979 100644
--- a/.github/workflows/javadoc.yaml
+++ b/.github/workflows/javadoc.yaml
@@ -17,6 +17,8 @@ jobs:
   build:
     name: 'JavaDoc to Documentation Portal'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
 
     steps:
       - name: 'Prepare git'
diff --git a/.github/workflows/prepare-release.yaml b/.github/workflows/prepare-release.yaml
index ba7137f19..a23533448 100644
--- a/.github/workflows/prepare-release.yaml
+++ b/.github/workflows/prepare-release.yaml
@@ -18,6 +18,8 @@ env:
   JAVA_VERSION: 17
   DOCS_REPO: SAP/cloud-sdk
 
+permissions: {}
+
 jobs:
   bump-version:
     name: 'Bump Version'
@@ -29,6 +31,8 @@ jobs:
       release-commit: ${{ steps.prepare-release.outputs.RELEASE_COMMIT_ID }}
       release-tag: ${{ steps.prepare-release.outputs.TAG_NAME }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed for git push
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@v6
@@ -180,6 +184,8 @@ jobs:
     outputs:
       pr-url: ${{ steps.create-release-notes-pr.outputs.PR_URL }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
     steps:
       - name: 'Create GitHub App Token'
         id: app-token
@@ -269,6 +275,8 @@ jobs:
     outputs:
       pr-url: ${{ steps.create-code-pr.outputs.PR_URL }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # all write operations use app token
     steps:
       - name: 'Create GitHub App Token'
         id: app-token
diff --git a/.github/workflows/reuse.yaml b/.github/workflows/reuse.yaml
index a3c797f4c..24bad79c9 100644
--- a/.github/workflows/reuse.yaml
+++ b/.github/workflows/reuse.yaml
@@ -11,6 +11,8 @@ on:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v6
     - name: REUSE Compliance Check