Specify default permissions for `vrms-data.yml`

[t-will-gillis]

Prerequisites

1. Be a member of Hack for LA. (There are no fees to join.) If you have not joined yet, please follow the steps on our Getting Started page and attend an onboarding session.
2. You have already read our How to Contribute to Hack for LA Guide.

---

Overview

We need to update the default permissions for the GitHub workflow specified in vrms-data.yml, so that it does not have more permissions than it needs.

Details

To align with GitHub security best practices, we want to specify the minimum required permissions for each workflow via a top-level permissions: block to ensure that workflows only have the access they need by default.

Every GitHub Actions workflow automatically receives a GITHUB_TOKEN with a set of default repository permissions defined in the repo settings which may result in the workflow having more permissions than it needs to complete its job. By explicitly defining minimum default permissions at the workflow level, we can ensure that workflow has only the permissions it needs. Then if a job or step requires more access, those permissions can be explicitly granted using job-level permissions statements or step-level tokens (PATs).

We performed an audit to identify the minimum top-level permissions required for each workflow. The goal of this and related issues is to verify that each workflow continues to function correctly with the explicitly defined permissions. This approach helps minimize unnecessary privileges and strengthen overall repository security.

For additional info, see issue #8178 and GitHub's recommendation for security best practice.

Action Items

Note that this issue involves testing GitHub Actions. See "Resources/Instructions" below for how to set up your personal environment for testing.

Refer to vrms-data.yml.

• Review the file to understand how the workflow is triggered. This is specified near the top of the YML in the on: section.
• Near the top of the file immediately before the line jobs: insert:

    permissions:
      contents: read
  

• Use clean formatting: make sure there is one line separation above and one below the permissions block.
• If the workflow includes line(s) similar to the following, you will need to change these to match your situation before the workflow will run correctly:

  if: github.repository == 'hackforla/website'
  

  or

      branches:
      - 'gh-pages'
  

• Create the event to trigger the workflow and confirm whether it runs successfully with no further changes to the permissions.
• If there are errors:
  • Try to determine the nature of the error, and whether it is occurring due to a mismatched repo or branch name.
  • If you cannot track down the error, consult with the team via Slack or the weekly meetings to report your findings and get additional direction.
• If there are no errors, submit the PR like usual. Include a link to your test log.

Resources/Instructions

• Refer to The "Hack for LA's GitHub Actions" Wiki guide needs additional explanation #6537 (comment), especially Tips 6, 7, and 8, if you have not already created you personal environment for testing.
• How to Test GitHub Actions
• Additional Notes for GitHub Actions
• Tokens, Secrets, Scopes, & Permissions