From cfc5c0359e7a536fb0106912abcac0ac5f171cc5 Mon Sep 17 00:00:00 2001
From: Patti Shin <pattishin@users.noreply.github.com>
Date: Fri, 30 Jun 2023 12:25:18 -0700
Subject: [PATCH] fix: various workflow updates (#3315)

* fix: updating checkout version and various workflow permissions

* fix: other workflow updates
---
 .github/workflows/ai-platform-snippets.yaml     | 3 +--
 .github/workflows/automl.yaml                   | 3 +--
 .github/workflows/ci.yaml                       | 6 +++---
 .github/workflows/dialogflow-cx.yaml            | 3 +--
 .github/workflows/functions-slack.yaml          | 4 +---
 .github/workflows/iam-deny.yaml                 | 6 ++----
 .github/workflows/security-center-snippets.yaml | 3 +--
 .github/workflows/storagetransfer.yaml          | 3 +--
 .github/workflows/test.yaml                     | 3 +--
 .github/workflows/utils/ci-secrets.yaml.njk     | 7 +++----
 .github/workflows/vision.yaml                   | 3 +--
 11 files changed, 16 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/ai-platform-snippets.yaml b/.github/workflows/ai-platform-snippets.yaml
index 4f20756c11..79c921a144 100644
--- a/.github/workflows/ai-platform-snippets.yaml
+++ b/.github/workflows/ai-platform-snippets.yaml
@@ -37,8 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:
diff --git a/.github/workflows/automl.yaml b/.github/workflows/automl.yaml
index 0a31ac6155..9fa8865084 100644
--- a/.github/workflows/automl.yaml
+++ b/.github/workflows/automl.yaml
@@ -37,8 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 781385c9ff..298a5428fd 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -25,7 +25,7 @@ jobs:
       id-token: 'write'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3.5.3
       - uses: actions/setup-node@v3
         with:
           node-version: 14
@@ -37,7 +37,7 @@ jobs:
       id-token: 'write'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3.5.3
       - uses: JustinBeckwith/linkinator-action@v1
         with:
           paths: "**/*.md"
@@ -48,5 +48,5 @@ jobs:
       id-token: 'write'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3.5.3
       - run: ./.github/workflows/utils/region-tags-tests.sh
diff --git a/.github/workflows/dialogflow-cx.yaml b/.github/workflows/dialogflow-cx.yaml
index ac5cae0a12..0018527906 100644
--- a/.github/workflows/dialogflow-cx.yaml
+++ b/.github/workflows/dialogflow-cx.yaml
@@ -40,8 +40,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:
diff --git a/.github/workflows/functions-slack.yaml b/.github/workflows/functions-slack.yaml
index 5941b956fa..bed8ef0821 100644
--- a/.github/workflows/functions-slack.yaml
+++ b/.github/workflows/functions-slack.yaml
@@ -34,10 +34,8 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
-    
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest
     timeout-minutes: 120
diff --git a/.github/workflows/iam-deny.yaml b/.github/workflows/iam-deny.yaml
index c9699f79a1..7bd7a427f1 100644
--- a/.github/workflows/iam-deny.yaml
+++ b/.github/workflows/iam-deny.yaml
@@ -34,10 +34,8 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
-      id-token: 'write'
-    
+      contents: 'read'
+      id-token: 'write' 
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest
     timeout-minutes: 120
diff --git a/.github/workflows/security-center-snippets.yaml b/.github/workflows/security-center-snippets.yaml
index 8fb56b016d..02cfe403d1 100644
--- a/.github/workflows/security-center-snippets.yaml
+++ b/.github/workflows/security-center-snippets.yaml
@@ -34,8 +34,7 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest
diff --git a/.github/workflows/storagetransfer.yaml b/.github/workflows/storagetransfer.yaml
index ea3b03b4d1..9e5eb3a08b 100644
--- a/.github/workflows/storagetransfer.yaml
+++ b/.github/workflows/storagetransfer.yaml
@@ -34,8 +34,7 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index d93ebf20cd..ffc2416d87 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -28,8 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:
diff --git a/.github/workflows/utils/ci-secrets.yaml.njk b/.github/workflows/utils/ci-secrets.yaml.njk
index cf34e4f89f..7f0df36e78 100644
--- a/.github/workflows/utils/ci-secrets.yaml.njk
+++ b/.github/workflows/utils/ci-secrets.yaml.njk
@@ -37,17 +37,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:
         working-directory: '{{ path }}'
     steps:
-    - uses: actions/checkout@v3.3.0
+    - uses: actions/checkout@v3.5.3
       with:
         ref: ${% raw %}{{github.event.pull_request.head.sha}}{% endraw %}
-    - uses: 'google-github-actions/auth@v1.0.0'
+    - uses: 'google-github-actions/auth@v1.1.1'
       with:
         workload_identity_provider: 'projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
         service_account: 'kokoro-system-test@long-door-651.iam.gserviceaccount.com'
diff --git a/.github/workflows/vision.yaml b/.github/workflows/vision.yaml
index def4ec9d2a..bfe5683e5b 100644
--- a/.github/workflows/vision.yaml
+++ b/.github/workflows/vision.yaml
@@ -34,8 +34,7 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest