Mirrors/flux2
1
0
Fork 0
mirror of synced 2026-02-07 11:15:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adjusted workflow permissions

Browse Source 
Signed-off-by: Eddie Knight <knight@linux.com>
This commit is contained in:
Eddie Knight
2022-10-20 11:04:49 -05:00
parent 9f41efb6f7
commit 939a75115c
8 changed files with 25 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/bootstrap.yaml vendored
View File

@@ -6,6 +6,9 @@ on:
pull_request: pull_request:
branches: [ main ] branches: [ main ]
permissions:
contents: read
jobs: jobs:
github: github:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/e2e-arm64.yaml vendored
View File

@@ -5,6 +5,9 @@ on:
push: push:
branches: [ main, update-components ] branches: [ main, update-components ]
permissions:
contents: read
jobs: jobs:
test: test:
# Hosted on Equinix # Hosted on Equinix

3
.github/workflows/e2e-azure.yaml vendored
View File

@@ -7,6 +7,9 @@ on:
push: push:
branches: [ azure* ] branches: [ azure* ]
permissions:
contents: read
jobs: jobs:
e2e: e2e:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04

3
.github/workflows/e2e.yaml vendored
View File

@@ -6,6 +6,9 @@ on:
pull_request: pull_request:
branches: [ main, oci ] branches: [ main, oci ]
permissions:
contents: read
jobs: jobs:
kind: kind:
runs-on: ubuntu-latest runs-on: ubuntu-latest

6
.github/workflows/release-manifests.yml vendored
View File

@@ -5,10 +5,12 @@ on:
workflow_dispatch: workflow_dispatch:
permissions: permissions:
id-token: write # needed for keyless signing contents: read
packages: write # needed for ghcr access
jobs: jobs:
permissions:
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
build-push: build-push:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

4
.github/workflows/release.yaml vendored
View File

@@ -11,6 +11,10 @@ permissions:
jobs: jobs:
goreleaser: goreleaser:
permissions: # TODO: Segment these jobs to minimize which actions are recieving escalated perms
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout

3
.github/workflows/scan.yaml vendored
View File

@@ -10,7 +10,6 @@ on:
permissions: permissions:
contents: read # for actions/checkout to fetch code contents: read # for actions/checkout to fetch code
security-events: write # for codeQL to write security events
jobs: jobs:
fossa: fossa:
@@ -50,6 +49,8 @@ jobs:
sarif_file: snyk.sarif sarif_file: snyk.sarif
codeql: codeql:
permissions:
security-events: write # for codeQL to write security events
name: CodeQL name: CodeQL
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: github.actor != 'dependabot[bot]' if: github.actor != 'dependabot[bot]'

3
.github/workflows/update.yaml vendored
View File

@@ -7,6 +7,9 @@ on:
push: push:
branches: [main] branches: [main]
permissions:
contents: read
jobs: jobs:
update-components: update-components:
runs-on: ubuntu-latest runs-on: ubuntu-latest