fix: least privilege support in automated workflows (#347)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

.github/workflows/lint.yml

@@ -5,10 +5,12 @@ on:
     branches:
       - main
   pull_request:
+
 permissions:
   contents: read
   # Optional: allow read access to pull request. Use with `only-new-issues` option.
   pull-requests: read
+
 jobs:
   golangci:
     name: lint

.github/workflows/package_chart.yaml

@@ -8,6 +8,9 @@ on:
     paths:
       - deployment/chainloop/**
 
+# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
+permissions: read-all
+
 jobs:
   package:
     name: Package and push Helm Chart
@@ -35,4 +38,3 @@ jobs:
           for pkg in chainloop*.tgz; do
             helm push ${pkg} oci://ghcr.io/chainloop-dev/charts
           done
-        

.github/workflows/release.yaml

@@ -5,6 +5,10 @@ on:
     tags:
       - "v*.*.*"
 
+# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
+permissions:
+  contents: read
+
 jobs:
   test:
     uses: chainloop-dev/chainloop/.github/workflows/test.yml@main
@@ -27,7 +31,7 @@ jobs:
       - name: Install Cosign
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v2.0.2'
+          cosign-release: "v2.0.2"
 
       - name: Install Chainloop
         run: |

.github/workflows/test.yml

@@ -8,6 +8,9 @@ on:
   # We want to call this workflow during release too
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build_and_test:
     name: Test
@@ -29,7 +32,7 @@ jobs:
           # due to issue with testcontainers
           # https://github.com/golang/go/issues/61431
           # https://github.com/testcontainers/testcontainers-go/issues/1359
-          go-version: '1.20.5'
+          go-version: "1.20.5"
           cache: true
           cache-dependency-path: go.sum
 

internal/attestation/crafter/materials/cyclonedxjson_test.go

@@ -76,7 +76,7 @@ func TestCyclonedxJSONCraft(t *testing.T) {
 		},
 		{
 			name:     "invalid sbom format",
-			filePath: "./testdata/sbom.spdx.json",
+			filePath: "./testdata/sbom-spdx.json",
 			wantErr:  "unexpected material type",
 		},
 		{

internal/attestation/crafter/materials/spdxjson_test.go

@@ -87,7 +87,7 @@ func TestSPDXJSONCraft(t *testing.T) {
 		},
 		{
 			name:     "valid artifact type",
-			filePath: "./testdata/sbom.spdx.json",
+			filePath: "./testdata/sbom-spdx.json",
 		},
 	}
 
@@ -105,7 +105,7 @@ func TestSPDXJSONCraft(t *testing.T) {
 				uploader.On("UploadFile", context.TODO(), tc.filePath).
 					Return(&casclient.UpDownStatus{
 						Digest:   "deadbeef",
-						Filename: "sbom.spdx.json",
+						Filename: "sbom-spdx.json",
 					}, nil)
 			}
 
@@ -125,7 +125,7 @@ func TestSPDXJSONCraft(t *testing.T) {
 
 			// // The result includes the digest reference
 			assert.Equal(got.GetArtifact(), &attestationApi.Attestation_Material_Artifact{
-				Id: "test", Digest: "sha256:fe2636fb6c698a29a315278b762b2000efd5959afe776ee4f79f1ed523365a33", Name: "sbom.spdx.json",
+				Id: "test", Digest: "sha256:fe2636fb6c698a29a315278b762b2000efd5959afe776ee4f79f1ed523365a33", Name: "sbom-spdx.json",
 			})
 		})
 	}