[bitnami/containers] review and improve workflow permissions (#35293)

* [bitnami/containers] review and improve workflow permissions

Signed-off-by: Fran Mulero <fmulero@vmware.com>

* Fix typo

Signed-off-by: Fran Mulero <fmulero@vmware.com>

---------

Signed-off-by: Fran Mulero <fmulero@vmware.com>

.github/workflows/assign-asset-label.yml

@@ -1,6 +1,6 @@
 name: '[Support] Assign asset label'
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
 permissions:
@@ -29,7 +29,7 @@ jobs:
             echo "name=NONE" >> $GITHUB_OUTPUT
           else
             echo "result=ok" >> $GITHUB_OUTPUT
-            echo "message=Adding label '${assets}'"  >> $GITHUB_OUTPUT
+            echo "message=Adding label '${assets}'" >> $GITHUB_OUTPUT
             echo "name=${assets}" >> $GITHUB_OUTPUT
           fi
       - name: Show messages

.github/workflows/comments.yml

@@ -4,9 +4,10 @@ on:
     types:
       - created
 permissions:
+  contents: read
   repository-projects: write
-  issues: write
-  pull-requests: write
+  issues: read
+  pull-requests: read
 # Avoid concurrency over the same issue
 concurrency:
   group: card-movement-${{ github.event.issue.number }}

.github/workflows/moving-cards.yml

@@ -6,6 +6,7 @@ on:
       - created
       - moved
 permissions:
+  contents: read
   issues: write
   pull-requests: write
 jobs:
@@ -140,4 +141,4 @@ jobs:
           removePreviousAssignees: true
           teams: ${{ env.SUPPORT_TEAM_NAME }}
           repo-token: ${{ secrets.BITNAMI_BOT_TOKEN }}
-          allowSelfAssign: false
+          allowSelfAssign: false

.github/workflows/pr-reviews.yml

@@ -1,11 +1,14 @@
 name: '[Support] Review based card movements'
 on:
-  pull_request_target:
+  pull_request:
     types:
       - review_requested
       - synchronize
 permissions:
   repository-projects: write
+  contents: read
+  issues: read
+  pull-requests: read
 concurrency:
   group: card-movement-${{ github.event.number }}
 jobs:
@@ -19,7 +22,19 @@ jobs:
       github.actor != 'bitnami-bot' && github.event.pull_request.user.login != 'bitnami-bot' &&
       (!contains(github.event.pull_request.labels.*.name, 'bitnami')) && (!contains(github.event.pull_request.labels.*.name, 'triage'))
     steps:
+      - name: Repo checkout
+        uses: actions/checkout@v3
+        with:
+          # Checkout from base to try to get latest information from the main branch.
+          ref: ${{ github.event.pull_request.base.ref }}
+          repository: ${{ github.event.pull_request.base.repo.full_name }}
+      - name: Load .env file
+        uses: xom9ikk/dotenv@v2
+        with:
+          path: .github/workflows/
       - name: Move into In Progress
+        # Move the card only if the actor is not a Bitnami member
+        if: ${{ !contains(fromJson(env.BITNAMI_TEAM), github.actor) }}
         uses: peter-evans/create-or-update-project-card@v2
         with:
           project-name: Support

.github/workflows/sync-teams.yml

@@ -4,8 +4,8 @@ on:
     # Daily
     - cron: '0 5 * * *'
 permissions:
-  repository-projects: write
-
+  # All write actions are executed with BITNAMI_BOT
+  contents: write
 jobs:
   sync-support-teams:
     runs-on: ubuntu-latest
@@ -32,7 +32,7 @@ jobs:
             sed -i "s|BITNAMI_TEAM=.*$|BITNAMI_TEAM='${TEAM_MEMBERS}'|g" .github/workflows/.env
             git config user.name "bitnami-bot"
             git config user.email "bitnami-bot@vmware.com"
-            git commit -s -m"[bitnami-bot] Updating Bitnami team members" .github/workflows/.env 
+            git commit -s -m"[bitnami-bot] Updating Bitnami team members" .github/workflows/.env
             git push
           else
             echo "BITNAMI_TEAM is updated and nothing should be done"

.github/workflows/triage.yml

@@ -10,6 +10,8 @@ on:
       - reopened
       - opened
 permissions:
+  # Please note that projects cards are created/moved with Bitnami Bot (that's reason to use pull_request_target)
+  contents: read
   issues: write
   pull-requests: write
 # Avoid concurrency over the same issue