ci(workflows): enhance permissions for jobs (#1627)

Signed-off-by: Dariusz Porowski <3431813+DariuszPorowski@users.noreply.github.com>

Author: DariuszPorowski

.github/workflows/close-stale-prs.yml

@@ -10,12 +10,14 @@ on:
   schedule:
     - cron: "0 18 * * *" # Run the workflow every day at 6PM UTC (10AM PST).
 
+permissions: {}
+
 jobs:
   stale:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
     permissions:
       pull-requests: write
-
     steps:
       - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:

.github/workflows/issues.yml .github/workflows/devops-boards.yaml.github/workflows/issues.yml renamed to .github/workflows/devops-boards.yaml

@@ -11,14 +11,15 @@ concurrency:
   group: issue-${{ github.event.issue.number }}
   cancel-in-progress: false
 
-# Extra permissions needed to login with Entra ID service principal via federated identity
-permissions:
-  id-token: write
-  issues: write
+permissions: {}
 
 jobs:
   ado:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      id-token: write
+      issues: write
     environment:
       name: issues
     steps:
@@ -36,19 +37,19 @@ jobs:
         run: |
           # The resource ID for Azure DevOps is always 499b84ac-1321-427f-aa17-267ca6975798
           # https://learn.microsoft.com/azure/devops/integrate/get-started/authentication/service-principal-managed-identity
-          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query "accessToken" --output tsv)
-          echo "::add-mask::$ADO_TOKEN"
-          echo "ADO_TOKEN=$ADO_TOKEN" >> $GITHUB_ENV
+          ADO_TOKEN=$(az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken --output tsv)
+          echo "::add-mask::${ADO_TOKEN}"
+          echo "ADO_TOKEN=${ADO_TOKEN}" >> "${GITHUB_ENV}"
 
       - name: Sync issue to Azure DevOps
         uses: danhellem/github-actions-issue-to-work-item@8d0ead9b49a65aa66dac6949b1ff149d7ef8b4de # v2.5
         env:
           ado_token: ${{ env.ADO_TOKEN }}
-          github_token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
+          github_token: ${{ github.token }}
           ado_organization: azure-octo
           ado_project: Incubations
-          ado_area_path: "Incubations\\Radius"
-          ado_iteration_path: "Incubations\\Radius"
+          ado_area_path: Incubations\\Radius
+          ado_iteration_path: Incubations\\Radius
           ado_new_state: New
           ado_active_state: Active
           ado_close_state: Closed

.github/workflows/pr-checks.yaml

@@ -6,10 +6,16 @@ on:
   pull_request:
     types: [opened, reopened, synchronize, labeled, unlabeled]
 
+permissions: {}
+
 jobs:
   check-do-not-merge-tag:
     name: Check for do-not-merge tag
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      issues: read
+      pull-requests: read
     steps:
       - name: Check for do-not-merge label
         uses: mheap/github-action-required-labels@8afbe8ae6ab7647d0c9f0cfa7c2f939650d22509 # v5.5.1

.github/workflows/redirect.yml

@@ -19,15 +19,21 @@ on:
       - "redirect/**"
       - ".github/workflows/redirect.yml"
 
+permissions: {}
+
 jobs:
   deploy-website:
     name: Deploy Redirect Website
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Checkout repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           submodules: false
+          persist-credentials: false
 
       - name: Deploy staging site
         uses: Azure/static-web-apps-deploy@4d27395796ac319302594769cfe812bd207490b1 # v1
@@ -42,7 +48,10 @@ jobs:
   close_pr_site:
     name: Close PR Staging Site
     if: github.event_name == 'pull_request' && github.event.action == 'closed'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Close Pull Request
         id: closepullrequest

.github/workflows/release.yaml

@@ -11,20 +11,26 @@ on:
         default: ""
         type: string
 
+permissions: {}
+
 env:
   GITHUB_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }}
   GITHUB_EMAIL: radiuscoreteam@service.microsoft.com
   GITHUB_USER: Radius CI Bot
 
 jobs:
   release-docs:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           token: ${{ secrets.GH_RAD_CI_BOT_PAT }}
           ref: edge
           path: docs
+          persist-credentials: false
 
       - name: Configure git
         run: |
@@ -40,7 +46,7 @@ jobs:
         run: |
           # CHANNEL is the major and minor version of the VERSION_NUMBER (e.g. 0.1)
           CHANNEL="$(echo ${{ inputs.version }} | cut -d '.' -f 1,2)"
-          echo "channel=$CHANNEL" >> $GITHUB_OUTPUT
+          echo "channel=$CHANNEL" >> "${GITHUB_OUTPUT}"
 
       - name: Release docs
         run: |

.github/workflows/spellcheck.yaml

@@ -14,6 +14,8 @@ on:
       - v*.*
       - edge
 
+permissions: {}
+
 env:
   ACTION_LINK: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
 
@@ -23,10 +25,16 @@ concurrency:
 jobs:
   spellcheck:
     name: Spellcheck
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout docs
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
 
       - name: Spellcheck
         uses: rojopolis/spellcheck-github-actions@6f2326b663e2dbab920da0fc4144b9f3202434ba # 0.54.0
@@ -36,15 +44,19 @@ jobs:
       - name: Post GitHub workkflow output on failure
         if: failure()
         run: |
-          echo "## :x: Spellcheck Failed" >> $GITHUB_STEP_SUMMARY
-          echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing." >> $GITHUB_STEP_SUMMARY
-          echo "### Adding new words" >> $GITHUB_STEP_SUMMARY
-          echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)" >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## :x: Spellcheck Failed"
+            echo "There are spelling errors in your PR. Visit [the workflow output](${{ env.ACTION_LINK }}) to see what words are failing."
+            echo "### Adding new words"
+            echo "If you are adding a new custom word refer to the [docs guide](https://docs.radapp.io/contributing/docs/#spelling)"
+          } >> "${GITHUB_STEP_SUMMARY}"
 
       - name: Post GitHub workflow output on success
         run: |
-          echo "## :white_check_mark: Spellcheck Passed" >> $GITHUB_STEP_SUMMARY
-          echo "There are no spelling errors in your PR." >> $GITHUB_STEP_SUMMARY
+          {
+            echo "## :white_check_mark: Spellcheck Passed"
+            echo "There are no spelling errors in your PR."
+          } >> "${GITHUB_STEP_SUMMARY}"
 
       - name: Post GitHub comment on failure
         if: failure()

.github/workflows/upmerge.yaml

@@ -29,13 +29,19 @@ name: Upmerge docs to edge
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   upmerge:
     name: Upmerge docs to edge
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       # Checkout the edge branch
-      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
         with:
           ref: edge
           # https://github.com/actions/checkout/issues/125#issuecomment-570254411
@@ -48,40 +54,41 @@ jobs:
         run: |
           git config --global user.email "radiuscoreteam@service.microsoft.com"
           git config --global user.name "Radius CI Bot"
-          git remote set-url origin https://$GH_TOKEN@github.com/${{ github.repository }}
+          git remote set-url origin "https://${GH_TOKEN}@github.com/${{ github.repository }}"
 
       # Create a new branch from edge. This branch will be used to PR back into edge.
       - name: Create new branch
         run: |
-          export DATE=$(date +%Y-%m-%d)
-          export RAND=$(openssl rand -hex 2)
-          export BRANCH_NAME=upmerge/$DATE-$RAND
-          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
-          git checkout -b $BRANCH_NAME
+          DATE=$(date +%Y-%m-%d)
+          RAND=$(openssl rand -hex 2)
+          BRANCH_NAME="upmerge/${DATE}-${RAND}"
+          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}"
+          git checkout -b "${BRANCH_NAME}"
 
       # Merge changes from the github.ref branch, i.e., the branch from which the workflow is triggered. That
       # branch is assumed to be the current release branch, but could be any branch.
       # If there are no changes, stop the workflow.
       - name: Upmerge docs
         run: |
-          export SOURCE_BRANCH=$(basename ${{ github.ref }})
+          SOURCE_BRANCH=$(basename ${{ github.ref }})
           echo "Upmerging docs from $SOURCE_BRANCH to edge"
-          git fetch origin $SOURCE_BRANCH
-          git merge --no-commit origin/$SOURCE_BRANCH
+          git fetch origin "${SOURCE_BRANCH}"
+          git merge --no-commit "origin/${SOURCE_BRANCH}"
           git checkout edge -- docs/config.toml docs/layouts/partials/hooks/body-end.html
           git commit --signoff --message "Upmerge to edge"
 
           if git diff --quiet edge; then
-              echo "No changes to merge from $SOURCE_BRANCH to edge"
-              echo "NO_CHANGES=true" >> $GITHUB_ENV
+              echo "No changes to merge from ${SOURCE_BRANCH} to edge"
+              echo "NO_CHANGES=true" >> "${GITHUB_ENV}"
           else
-              echo "Pushing $BRANCH_NAME for PR to edge"
-              git push --set-upstream origin $BRANCH_NAME
+              echo "Pushing ${BRANCH_NAME} for PR to edge"
+              git push --set-upstream origin "${BRANCH_NAME}"
           fi
 
       # Create a PR from the new branch to edge
       - name: Create pull request
         if: env.NO_CHANGES != 'true'
         env:
           GH_TOKEN: ${{ secrets.GH_RAD_CI_BOT_PAT }}
-        run: gh pr create --title "Upmerge to edge" --body "Upmerge to edge (kicked off by @${{ github.triggering_actor }})" --base edge --head $BRANCH_NAME
+        run: |
+          gh pr create --title "Upmerge to edge" --body "Upmerge to edge (kicked off by @${{ github.triggering_actor }})" --base edge --head "${BRANCH_NAME}"

.github/workflows/validate-bicep.yaml

@@ -28,13 +28,20 @@ on:
       - edge
       - v*
 
+permissions: {}
+
 jobs:
   build:
     name: Validate Bicep Code
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    timeout-minutes: 5
+    permissions:
+      contents: read
     steps:
       - name: Check out repo
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        with:
+          persist-credentials: false
 
       - name: Setup and verify bicep CLI
         run: |