Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3231 from eddie-knight/fix/workflow-permissions

Browse Source 
Adjusted workflow permissions
pull/3232/head
Stefan Prodan 2 years ago committed by GitHub
parent 9f41efb6f7 2abf932ee4
commit 138cba6e57
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File

3
.github/workflows/bootstrap.yaml vendored
Unescape Escape View File

@ -6,6 +6,9 @@ on:
pull_request:
branches: [ main ]
permissions:
contents: read
jobs:
github:
runs-on: ubuntu-latest

3
.github/workflows/e2e-arm64.yaml vendored
Unescape Escape View File

@ -5,6 +5,9 @@ on:
push:
branches: [ main, update-components ]
permissions:
contents: read
jobs:
test:
# Hosted on Equinix

3
.github/workflows/e2e-azure.yaml vendored
Unescape Escape View File

@ -7,6 +7,9 @@ on:
push:
branches: [ azure* ]
permissions:
contents: read
jobs:
e2e:
runs-on: ubuntu-22.04

3
.github/workflows/e2e.yaml vendored
Unescape Escape View File

@ -6,6 +6,9 @@ on:
pull_request:
branches: [ main, oci ]
permissions:
contents: read
jobs:
kind:
runs-on: ubuntu-latest

6
.github/workflows/release-manifests.yml vendored
Unescape Escape View File

@ -5,10 +5,12 @@ on:
workflow_dispatch:
permissions:
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
contents: read
jobs:
permissions:
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
build-push:
runs-on: ubuntu-latest
steps:

4
.github/workflows/release.yaml vendored
Unescape Escape View File

@ -11,6 +11,10 @@ permissions:
jobs:
goreleaser:
permissions: # TODO: Segment these jobs to minimize which actions are recieving escalated perms
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
runs-on: ubuntu-latest
steps:
- name: Checkout

5
.github/workflows/scan.yaml vendored
Unescape Escape View File

@ -10,7 +10,6 @@ on:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for codeQL to write security events
jobs:
fossa:
@ -28,6 +27,8 @@ jobs:
snyk:
name: Snyk
permisions:
security-events: write
runs-on: ubuntu-latest
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
steps:
@ -50,6 +51,8 @@ jobs:
sarif_file: snyk.sarif
codeql:
permissions:
security-events: write # for codeQL to write security events
name: CodeQL
runs-on: ubuntu-latest
if: github.actor != 'dependabot[bot]'

6
.github/workflows/update.yaml vendored
Unescape Escape View File

@ -7,8 +7,14 @@ on:
push:
branches: [main]
permissions:
contents: read
jobs:
update-components:
permissions:
contents: write
pull-requests: write
runs-on: ubuntu-latest
steps:
- name: Check out code

Write Preview
Loading…
Cancel
Save