Set workflows to run with read-only permissions

[pnacht]

/kind feature

Why you need this feature:

Kubeflow's workflows are running with write-all permissions. This puts the project at risk of supply-chain attacks.

I took a look at all the workflows and none of them seem to require significant permissions.

Describe the solution you'd like:

There are two solutions:

• all the workflows can be set with read-only top-level permissions; and/or
• the default workflow token can be set to read-only

I'll send a PR setting top-level permissions for all workflows. If you also/instead want to change the default token:

1. Open the repo settings
2. Go to Actions > General
3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

Anything else you would like to add:

My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

[google-oss-prow[bot]]

@juliusvonkohout: Closing this issue.

In response to [this](https://github.com/kubeflow/notebooks/issues/80): >/close > >wrong repository, use kubeflow/pipelines instead Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[juliusvonkohout]

/reopen

since it is about github actions, not kubeflow pipelines

[google-oss-prow[bot]]

@juliusvonkohout: Reopened this issue.

In response to [this](https://github.com/kubeflow/notebooks/issues/80): >/reopen > >since it is about github actions, not kubeflow pipelines Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[andreyvelich]

/transfer notebooks

[google-oss-prow[bot]]

@pnacht: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to [this](https://github.com/kubeflow/notebooks/issues/80): >/kind feature > >**Why you need this feature:** > >Kubeflow's workflows are running with write-all permissions. This puts the project at risk of supply-chain attacks. > >I took a look at all the workflows and none of them seem to require significant permissions. > >**Describe the solution you'd like:** > >There are two solutions: >- all the workflows can be set with read-only top-level permissions; and/or >- the default workflow token can be set to read-only > >I'll send a PR setting top-level permissions for all workflows. If you also/instead want to change the default token: > >1. Open the repo settings >2. Go to [Actions > General](https://github.com/kubeflow/kubeflow/settings/actions) >3. Under "Workflow permissions", set them to "Read repository contents and packages permissions" > > >**Anything else you would like to add:** > >My name is Pedro and I work with Google and the [Open Source Security Foundation (OpenSSF)](https://www.openssf.org/) to improve the supply-chain security of the open-source ecosystem. Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.