felleslosninger · eskwor · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/.github/workflows/ci-build-publish-image.yml b/.github/workflows/ci-build-publish-image.yml
@@ -1,4 +1,5 @@
 name: Build and publish Docker image
+permissions: {}
 
 on:
   workflow_call:
@@ -138,6 +139,7 @@ on:
 
 jobs:
   inputs-to-summary:
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       - name: "Write inputs to summary"
@@ -147,6 +149,7 @@ jobs:
           title: "Inputs"
 
   input-checks:
+    permissions: {}
     runs-on: ubuntu-latest
     outputs:
       container-registry: ${{ steps.set-container-registry.outputs.container-registry }}
@@ -175,11 +178,10 @@ jobs:
           else
             echo "Invalid lifecycle type. Supported types are: \`deployment\`, and \`development\`" >> "$GITHUB_STEP_SUMMARY"
           fi
-
   run-spring-boot-build:
     needs: input-checks
     if: inputs.application-type == 'spring-boot'
-    uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@main
+    uses: felleslosninger/github-workflows/.github/workflows/ci-spring-boot-build-publish-image.yml@hardening-gh-token-permissions
     with:
       image-name: ${{ inputs.image-name }}
       image-pack: ${{ inputs.image-pack }}
@@ -208,9 +210,12 @@ jobs:
     secrets: inherit
 
   run-quarkus-build:
+    permissions:
+      id-token: write
+      contents: write
     needs: input-checks
     if: inputs.application-type == 'quarkus'
-    uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-build-publish-image.yml@main
+    uses: felleslosninger/github-workflows/.github/workflows/ci-quarkus-build-publish-image.yml@hardening-gh-token-permissions
     with:
       image-name: ${{ inputs.image-name }}
       image-pack: ${{ inputs.image-pack }}
@@ -233,9 +238,13 @@ jobs:
     secrets: inherit
 
   run-docker-build:
+    permissions:
+      id-token: write
+      contents: write
+      packages: read
     needs: input-checks
     if: inputs.application-type == 'docker'
-    uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@main
+    uses: felleslosninger/github-workflows/.github/workflows/ci-docker-build-publish-image.yml@hardening-gh-token-permissions
     with:
       image-name: ${{ inputs.image-name }}
       image-signing: ${{ inputs.image-signing }}

diff --git a/.github/workflows/ci-docker-build-publish-image.yml b/.github/workflows/ci-docker-build-publish-image.yml
@@ -1,4 +1,8 @@
 name: Build/publish Docker image
+permissions:
+  contents: write
+  id-token: write
+  packages: read
 
 on:
   workflow_call:

diff --git a/.github/workflows/ci-quarkus-build-publish-image.yml b/.github/workflows/ci-quarkus-build-publish-image.yml
@@ -112,6 +112,7 @@ jobs:
           title: "Inputs"
 
   build-publish-image:
+
     runs-on: ubuntu-latest
 
     env:
@@ -122,10 +123,6 @@ jobs:
       imagetag: ${{ steps.output-image-tag.outputs.imagetag }}
       imagedigest: ${{ steps.output-image-digest.outputs.imagedigest }}
 
-    permissions:
-      id-token: write
-      contents: write
-
     steps:
       - name: Set imagetag as env variable
         run: echo "IMAGETAG=$(date +'%Y-%m-%d-%H%M')-${GITHUB_SHA::8}" >> "$GITHUB_ENV"

diff --git a/.github/workflows/ci-spring-boot-build-publish-image.yml b/.github/workflows/ci-spring-boot-build-publish-image.yml
@@ -1,4 +1,5 @@
 name: Build and publish Docker image
+permissions: {}
 
 on:
   workflow_call:
@@ -129,6 +130,7 @@ on:
 
 jobs:
   inputs-to-summary:
+    permissions: {}
     runs-on: ubuntu-latest
     steps:
       - name: "Write inputs to summary"
@@ -138,16 +140,14 @@ jobs:
           title: "Inputs"
 
   build-publish-image:
-    runs-on: ubuntu-latest
-    outputs:
-      image-tag: ${{ steps.set-image-tag.outputs.image-tag }}
-      image-digest: ${{ steps.set-image-digest.outputs.image-digest }}
-
     permissions:
       id-token: write
       contents: write
       packages: write
-
+    runs-on: ubuntu-latest
+    outputs:
+      image-tag: ${{ steps.set-image-tag.outputs.image-tag }}
+      image-digest: ${{ steps.set-image-digest.outputs.image-digest }}
     steps:
       - name: Set image tag
         id: set-image-tag
@@ -321,6 +321,7 @@ jobs:
           image: ${{ steps.set-image-name.outputs.image-name }}:${{ steps.set-image-tag.outputs.image-tag }}
 
   notify-on-errors:
+    permissions: {}
     runs-on: ubuntu-latest
     needs: [build-publish-image]
     if: always() && contains(needs.*.result, 'failure')