Merge pull request #659 from microsoft/pls-pipeline-security-fix

ci: fix pipeline vulnerabilities

Author: Prajwal-Microsoft

.github/workflows/deploy-linux.yml

@@ -93,7 +93,9 @@ on:
 
   schedule:
     - cron: '0 9,21 * * *'  # Runs at 9:00 AM and 9:00 PM GMT
-
+permissions:
+  contents: read
+  actions: read
 jobs:
   Run:
     uses: ./.github/workflows/deploy-orchestrator.yml

.github/workflows/deploy-orchestrator.yml

@@ -64,7 +64,10 @@ on:
 
 env:
   AZURE_DEV_COLLECT_TELEMETRY: ${{ vars.AZURE_DEV_COLLECT_TELEMETRY }}
-
+permissions:
+  contents: read
+  actions: read
+  
 jobs:
   docker-build:
     uses: ./.github/workflows/job-docker-build.yml

.github/workflows/deploy-windows.yml

@@ -83,7 +83,10 @@ on:
 
   # schedule:
   #   - cron: '0 9,21 * * *'  # Runs at 9:00 AM and 9:00 PM GMT
-
+permissions:
+  contents: read
+  actions: read
+  
 jobs:
   Run:
     uses: ./.github/workflows/deploy-orchestrator.yml

.github/workflows/deploy.yml

@@ -20,7 +20,10 @@ env:
   GPT_MIN_CAPACITY: 150
   TEXT_EMBEDDING_MIN_CAPACITY: 80
   BRANCH_NAME: ${{ github.event.workflow_run.head_branch || github.head_ref || github.ref_name }}
-
+permissions:
+  contents: read
+  actions: read
+  
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -31,26 +34,21 @@ jobs:
       - name: Checkout Code
         uses: actions/checkout@v5
 
-      - name: Setup Azure CLI
-        run: |
-          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-          az --version  # Verify installation
-
       - name: Login to Azure
         run: |
           az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}
 
       - name: Run Quota Check
         id: quota-check
+        env:
+          AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+          AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+          AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          GPT_MIN_CAPACITY: ${{ env.GPT_MIN_CAPACITY }}
+          TEXT_EMBEDDING_MIN_CAPACITY: ${{ env.TEXT_EMBEDDING_MIN_CAPACITY }}
+          AZURE_REGIONS: ${{ vars.AZURE_REGIONS }}
         run: |
-          export AZURE_CLIENT_ID=${{ secrets.AZURE_CLIENT_ID }}
-          export AZURE_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}
-          export AZURE_CLIENT_SECRET=${{ secrets.AZURE_CLIENT_SECRET }}
-          export AZURE_SUBSCRIPTION_ID="${{ secrets.AZURE_SUBSCRIPTION_ID }}"
-          export GPT_MIN_CAPACITY=${{ env.GPT_MIN_CAPACITY }}
-          export TEXT_EMBEDDING_MIN_CAPACITY=${{ env.TEXT_EMBEDDING_MIN_CAPACITY }}
-          export AZURE_REGIONS="${{ vars.AZURE_REGIONS }}"
-
           chmod +x scripts/checkquota.sh
           if ! scripts/checkquota.sh; then
             # If quota check fails due to insufficient quota, set the flag
@@ -224,11 +222,6 @@ jobs:
     env:
       RESOURCE_GROUP_NAME: ${{ needs.deploy.outputs.RESOURCE_GROUP_NAME }}
     steps:
-      - name: Setup Azure CLI
-        run: |
-          curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-          az --version  # Verify installation
-
       - name: Login to Azure
         run: |
           az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }}

.github/workflows/docker-build-and-push.yml

@@ -26,7 +26,10 @@ on:
       - '!src/tests/**'
   merge_group:
   workflow_dispatch:
-
+permissions:
+  contents: read
+  actions: read
+  
 jobs:
   build-and-push:
     runs-on: ubuntu-latest

.github/workflows/job-cleanup-deployment.yml

@@ -40,7 +40,10 @@ on:
         description: 'Docker Image Tag'
         required: true
         type: string
-
+permissions:
+  contents: read
+  actions: read
+  
 jobs:
   cleanup-deployment:
     runs-on: ${{ inputs.runner_os }}
@@ -52,14 +55,6 @@ jobs:
       ENV_NAME: ${{ inputs.ENV_NAME }}
       IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
     steps:
-      - name: Setup Azure CLI
-        shell: bash
-        run: |
-          if [[ "${{ runner.os }}" == "Linux" ]]; then
-            curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
-          fi
-          az --version
-
       - name: Login to Azure
         shell: bash
         run: |