[bitnami/charts] review and improve workflow permissions (#16908)

Signed-off-by: Fran Mulero <fmulero@vmware.com>

.github/workflows/assign-asset-label.yml

@@ -1,6 +1,6 @@
 name: '[Support] Assign asset label'
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
 permissions:

.github/workflows/comments.yml

@@ -4,9 +4,10 @@ on:
     types:
       - created
 permissions:
+  contents: read
   repository-projects: write
-  issues: write
-  pull-requests: write
+  issues: read
+  pull_requests: read
 # Avoid concurrency over the same issue
 concurrency:
   group: card-movement-${{ github.event.issue.number }}

.github/workflows/generate-chart-readme.yml

@@ -1,7 +1,7 @@
 name: '[Support] Update README metadata'
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
     paths:
@@ -11,15 +11,12 @@ permissions:
 jobs:
   update-readme-metadata:
     runs-on: ubuntu-latest
-
     steps:
       - name: Install readme-generator-for-helm
         run: npm install -g @bitnami/readme-generator-for-helm
       - name: Checkout bitnami/charts
         uses: actions/checkout@v3
         with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
           path: charts
           token: ${{ github.actor == 'bitnami-bot' && secrets.GITHUB_TOKEN || secrets.BITNAMI_BOT_TOKEN }}
       - name: Execute readme-generator-for-helm

.github/workflows/moving-cards.yml

@@ -6,6 +6,7 @@ on:
       - created
       - moved
 permissions:
+  contents: read
   issues: write
   pull-requests: write
 jobs:

.github/workflows/pr-reviews.yml

@@ -1,11 +1,14 @@
 name: '[Support] Review based card movements'
 on:
-  pull_request_target:
+  pull_request:
     types:
       - review_requested
       - synchronize
 permissions:
   repository-projects: write
+  contents: read
+  issues: read
+  pull-requests: read
 concurrency:
   group: card-movement-${{ github.event.number }}
 jobs:
@@ -19,7 +22,19 @@ jobs:
       github.actor != 'bitnami-bot' && github.event.pull_request.user.login != 'bitnami-bot' &&
       (!contains(github.event.pull_request.labels.*.name, 'bitnami')) && (!contains(github.event.pull_request.labels.*.name, 'triage'))
     steps:
+      - name: Repo checkout
+        uses: actions/checkout@v3
+        with:
+          # Checkout from base to try to get latest information from the main branch.
+          ref: ${{ github.event.pull_request.base.ref }}
+          repository: ${{ github.event.pull_request.base.repo.full_name }}
+      - name: Load .env file
+        uses: xom9ikk/dotenv@v2
+        with:
+          path: .github/workflows/
       - name: Move into In Progress
+        # Move the card only if the actor is not a Bitnami member
+        if: ${{ !contains(fromJson(env.BITNAMI_TEAM), github.actor) }}
         uses: peter-evans/create-or-update-project-card@v2
         with:
           project-name: Support

.github/workflows/sync-teams.yml

@@ -4,8 +4,8 @@ on:
     # Daily
     - cron: '0 5 * * *'
 permissions:
-  repository-projects: write
-
+  # All write actions are executed with BITNAMI_BOT
+  contents: write
 jobs:
   sync-support-teams:
     runs-on: ubuntu-latest
@@ -32,7 +32,7 @@ jobs:
             sed -i "s|BITNAMI_TEAM=.*$|BITNAMI_TEAM='${TEAM_MEMBERS}'|g" .github/workflows/.env
             git config user.name "bitnami-bot"
             git config user.email "bitnami-bot@vmware.com"
-            git commit -s -m"[bitnami-bot] Updating Bitnami team members" .github/workflows/.env 
+            git commit -s -m"[bitnami-bot] Updating Bitnami team members" .github/workflows/.env
             git push
           else
             echo "BITNAMI_TEAM is updated and nothing should be done"

.github/workflows/triage.yml

@@ -10,6 +10,8 @@ on:
       - reopened
       - opened
 permissions:
+  # Please note that projects cards are created/moved with Bitnami Bot (that's reason to use pull_request_target)
+  contents: read
   issues: write
   pull-requests: write
 # Avoid concurrency over the same issue