chore: Set explicit workflow permissions

.github/workflows/api-docs.yml

@@ -7,15 +7,26 @@ on:
         description: 'Version to generate docs for'
         required: true
         type: string
+    secrets:
+      NPM_TOKEN_ARTIFACTORY:
+        required: true
+      SAP_CLOUD_SDK_BOT_CLIENT_ID:
+        required: true
+      SAP_CLOUD_SDK_BOT_PRIVATE_KEY:
+        required: true
   workflow_dispatch:
     inputs:
       version:
         description: 'Version to generate docs for'
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   generate-and-push-docs:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main

.github/workflows/auto-dependabot-fix.yml

@@ -3,8 +3,12 @@ name: auto-dependabot-fix
 on:
   pull_request_target: ~
 
+permissions: {}
+
 jobs:
   building:
+    permissions:
+      contents: read
     if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:

.github/workflows/auto-lint.yml

@@ -3,8 +3,12 @@ name: auto-lint-fix
 on:
   pull_request: ~
 
+permissions: {}
+
 jobs:
   linting:
+    permissions:
+      contents: read
     if: github.actor != 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
     runs-on: ubuntu-latest
     steps:

.github/workflows/blackduck.yml

@@ -5,9 +5,13 @@ on:
   schedule:
     - cron: 0 23 * * *
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     timeout-minutes: 15
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main

.github/workflows/build.yml

@@ -20,12 +20,23 @@ on:
         type: boolean
         required: false
         default: false
+    secrets:
+      NPM_TOKEN_ARTIFACTORY:
+        required: false
+      API_HUB_SANDBOX_TOKEN:
+        required: false
+      SLACK_WEBHOOK:
+        required: false
+
+permissions: {}
 
 jobs:
   tests:
     if: inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -58,6 +69,8 @@ jobs:
   checks:
     if: inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
@@ -99,6 +112,8 @@ jobs:
   e2e-tests:
     if: inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
@@ -133,6 +148,8 @@ jobs:
   canary-release-pre-check:
     if: inputs.is-workflow-call && inputs.canary-release-skip-checks == false
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       skip-release: ${{ steps.date-check.outputs.skip-release }}
     needs: [tests, checks, e2e-tests]
@@ -167,6 +184,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [canary-release-pre-check]
     permissions:
+      contents: read
       id-token: write
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
@@ -189,6 +207,8 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/v')
     runs-on: ubuntu-latest
     needs: [tests, checks]
+    permissions:
+      contents: write
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:

.github/workflows/bump.yml

@@ -7,9 +7,13 @@ on:
         description: Mandatory, when bumping a major version. Semver compatible version string (X.Y.Z). Must not be set for patch and minor version releases.
         required: false
 
+permissions: {}
+
 jobs:
   bump:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       version: ${{ steps.bump.outputs.version }}
     steps:
@@ -56,7 +60,12 @@ jobs:
   generate-api-docs:
     name: Generate and Push API Documentation
     needs: [bump]
+    permissions:
+      contents: read
     uses: ./.github/workflows/api-docs.yml
-    secrets: inherit
+    secrets:
+      NPM_TOKEN_ARTIFACTORY: ${{ secrets.NPM_TOKEN_ARTIFACTORY }}
+      SAP_CLOUD_SDK_BOT_CLIENT_ID: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
+      SAP_CLOUD_SDK_BOT_PRIVATE_KEY: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
     with:
       version: v${{ needs.bump.outputs.version }}

.github/workflows/check-pr.yml

@@ -7,9 +7,13 @@ on:
       - edited
       - synchronize
 
+permissions: {}
+
 jobs:
   check-pr:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

.github/workflows/codeql-analysis.yml

@@ -14,10 +14,15 @@ on:
   pull_request: ~
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
 
     strategy:
       fail-fast: false

.github/workflows/downloads.yml

@@ -5,9 +5,13 @@ on:
   schedule:
     - cron: '0 0 * * 1'
 
+permissions: {}
+
 jobs:
   downloads:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:

.github/workflows/fosstars-report.yml

@@ -4,6 +4,8 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
+permissions: {}
+
 jobs:
   create_fosstars_report:
     runs-on: ubuntu-latest

.github/workflows/memory-tests.yml

@@ -5,9 +5,13 @@ on:
   schedule:
     - cron: 0 21 * * *
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:

.github/workflows/release-entry.yml

@@ -19,16 +19,31 @@ on:
         options:
           - 'With Tests and Checks'
           - 'Skip Tests and Checks (Force Release)'
+
+permissions: {}
+
 jobs:
   delegate_to_release_job:
     if: ${{ github.event_name == 'release' }}
+    permissions:
+      contents: read
+      id-token: write
     uses: ./.github/workflows/release.yml
-    secrets: inherit
+    secrets:
+      SAP_CLOUD_SDK_BOT_CLIENT_ID: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }}
+      SAP_CLOUD_SDK_BOT_PRIVATE_KEY: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
 
   delegate_to_canary_job:
     if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }}
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
     uses: ./.github/workflows/build.yml
-    secrets: inherit
+    secrets:
+      NPM_TOKEN_ARTIFACTORY: ${{ secrets.NPM_TOKEN_ARTIFACTORY }}
+      API_HUB_SANDBOX_TOKEN: ${{ secrets.API_HUB_SANDBOX_TOKEN }}
+      SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
     with:
       canary-release-skip-checks: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.canary-release == 'Skip Tests and Checks (Force Release)' }}
       is-workflow-call: true

.github/workflows/release.yml

@@ -2,6 +2,13 @@ name: release
 
 on:
   workflow_call:
+    secrets:
+      SAP_CLOUD_SDK_BOT_CLIENT_ID:
+        required: true
+      SAP_CLOUD_SDK_BOT_PRIVATE_KEY:
+        required: true
+
+permissions: {}
 
 jobs:
   stable-release:
@@ -17,6 +24,8 @@ jobs:
           private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }}
           owner: SAP
           repositories: cloud-sdk
+          permission-contents: write
+          permission-pull-requests: write
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:
           ref: 'main'

.github/workflows/tests-windows.yml

@@ -7,10 +7,14 @@ on:
       - 'docs/**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: windows-latest
     timeout-minutes: 30
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:

.github/workflows/typedoc.yml

@@ -8,9 +8,13 @@ on:
     paths-ignore:
       - 'docs/**'
 
+permissions: {}
+
 jobs:
   tests:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: sap/cloud-sdk-js/.github/actions/setup@main
         with:

.github/zizmor.yml

@@ -3,14 +3,6 @@ rules:
   dependabot-cooldown:
     config:
       days: 4
-  # requires more effort to fix
-  secrets-inherit:
-    ignore:
-     - bump.yml
-     - release-entry.yml
-  # requires more effort to fix
-  excessive-permissions:
-    disable: true
   dangerous-triggers:
     ignore:
       - auto-dependabot-fix.yml