mirror of
https://github.com/fluxcd/flux2.git
synced 2026-02-08 00:37:27 +00:00
Merge pull request #3231 from eddie-knight/fix/workflow-permissions
Adjusted workflow permissions
This commit is contained in:
Stefan Prodan
GitHub
commit
138cba6e57
8 changed files with 30 additions and 3 deletions
3
.github/workflows/bootstrap.yaml
vendored
3
.github/workflows/bootstrap.yaml
vendored
|
|
@ -6,6 +6,9 @@ on:
|
|||
pull_request:
|
||||
branches: [ main ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
github:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
|||
3
.github/workflows/e2e-arm64.yaml
vendored
3
.github/workflows/e2e-arm64.yaml
vendored
|
|
@ -5,6 +5,9 @@ on:
|
|||
push:
|
||||
branches: [ main, update-components ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
test:
|
||||
# Hosted on Equinix
|
||||
|
|
|
|||
3
.github/workflows/e2e-azure.yaml
vendored
3
.github/workflows/e2e-azure.yaml
vendored
|
|
@ -7,6 +7,9 @@ on:
|
|||
push:
|
||||
branches: [ azure* ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
e2e:
|
||||
runs-on: ubuntu-22.04
|
||||
|
|
|
|||
3
.github/workflows/e2e.yaml
vendored
3
.github/workflows/e2e.yaml
vendored
|
|
@ -6,6 +6,9 @@ on:
|
|||
pull_request:
|
||||
branches: [ main, oci ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
kind:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
|||
6
.github/workflows/release-manifests.yml
vendored
6
.github/workflows/release-manifests.yml
vendored
|
|
@ -5,10 +5,12 @@ on:
|
|||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
id-token: write # needed for keyless signing
|
||||
packages: write # needed for ghcr access
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
permissions:
|
||||
id-token: write # needed for keyless signing
|
||||
packages: write # needed for ghcr access
|
||||
build-push:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
|
|
|||
4
.github/workflows/release.yaml
vendored
4
.github/workflows/release.yaml
vendored
|
|
@ -11,6 +11,10 @@ permissions:
|
|||
|
||||
jobs:
|
||||
goreleaser:
|
||||
permissions: # TODO: Segment these jobs to minimize which actions are recieving escalated perms
|
||||
contents: write # needed to write releases
|
||||
id-token: write # needed for keyless signing
|
||||
packages: write # needed for ghcr access
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
|
|
|
|||
5
.github/workflows/scan.yaml
vendored
5
.github/workflows/scan.yaml
vendored
|
|
@ -10,7 +10,6 @@ on:
|
|||
|
||||
permissions:
|
||||
contents: read # for actions/checkout to fetch code
|
||||
security-events: write # for codeQL to write security events
|
||||
|
||||
jobs:
|
||||
fossa:
|
||||
|
|
@ -28,6 +27,8 @@ jobs:
|
|||
|
||||
snyk:
|
||||
name: Snyk
|
||||
permisions:
|
||||
security-events: write
|
||||
runs-on: ubuntu-latest
|
||||
if: (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) && github.actor != 'dependabot[bot]'
|
||||
steps:
|
||||
|
|
@ -50,6 +51,8 @@ jobs:
|
|||
sarif_file: snyk.sarif
|
||||
|
||||
codeql:
|
||||
permissions:
|
||||
security-events: write # for codeQL to write security events
|
||||
name: CodeQL
|
||||
runs-on: ubuntu-latest
|
||||
if: github.actor != 'dependabot[bot]'
|
||||
|
|
|
|||
6
.github/workflows/update.yaml
vendored
6
.github/workflows/update.yaml
vendored
|
|
@ -7,8 +7,14 @@ on:
|
|||
push:
|
||||
branches: [main]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-components:
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Check out code
|
||||
|
|
|
|||
Loading…
Reference in a new issue