From a26cc4290ee075149971ead6a85f99f6694af796 Mon Sep 17 00:00:00 2001 From: Trask Stalnaker Date: Fri, 31 Jan 2025 16:18:54 -0800 Subject: [PATCH] More github actions permissions work --- .github/workflows/auto-update-otel-sdk.yml | 5 ++++- .github/workflows/backport.yml | 2 +- .github/workflows/build-daily-no-build-cache.yml | 1 + .github/workflows/build-daily.yml | 1 + .github/workflows/codeql-daily.yml | 2 ++ .github/workflows/issue-management-feedback-label.yml | 6 ++++++ .github/workflows/issue-management-stale-action.yml | 1 + .github/workflows/label.yml | 2 -- .github/workflows/native-tests-daily.yml | 1 + .github/workflows/overhead-benchmark-daily.yml | 3 ++- .github/workflows/owasp-dependency-check-daily.yml | 2 +- .github/workflows/prepare-patch-release.yml | 2 +- .github/workflows/prepare-release-branch.yml | 4 ++-- .github/workflows/publish-petclinic-benchmark-image.yml | 1 + .../workflows/publish-smoke-test-early-jdk8-images.yml | 1 + .../workflows/publish-smoke-test-fake-backend-images.yml | 1 + .github/workflows/publish-smoke-test-grpc-images.yml | 1 + .github/workflows/publish-smoke-test-play-images.yml | 1 + .github/workflows/publish-smoke-test-quarkus-images.yml | 1 + .../publish-smoke-test-security-manager-images.yml | 1 + .github/workflows/publish-smoke-test-servlet-images.yml | 1 + .../workflows/publish-smoke-test-spring-boot-images.yml | 1 + .github/workflows/release-update-cloudfoundry-index.yml | 6 +++--- .github/workflows/release.yml | 7 +++++++ .github/workflows/reusable-native-tests.yml | 3 +++ .github/workflows/reusable-workflow-notification.yml | 5 ++++- .github/workflows/scorecard.yml | 8 +++----- 27 files changed, 52 insertions(+), 18 deletions(-) diff --git a/.github/workflows/auto-update-otel-sdk.yml b/.github/workflows/auto-update-otel-sdk.yml index f54e198bd29f..a18775828c25 100644 --- a/.github/workflows/auto-update-otel-sdk.yml +++ b/.github/workflows/auto-update-otel-sdk.yml @@ -6,6 +6,9 @@ on: - cron: "46 * * * *" workflow_dispatch: +permissions: + contents: read + jobs: check-versions: runs-on: ubuntu-latest @@ -44,7 +47,7 @@ jobs: update-otel-sdk: permissions: - contents: write # for Git to git push + contents: write # for git push to PR branch runs-on: ubuntu-latest if: | needs.check-versions.outputs.current-version != needs.check-versions.outputs.latest-version && diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index e1828cf17020..d796fc9a6638 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -12,7 +12,7 @@ permissions: jobs: backport: permissions: - contents: write # for Git to git push + contents: write # for git push to PR branch runs-on: ubuntu-latest steps: - run: | diff --git a/.github/workflows/build-daily-no-build-cache.yml b/.github/workflows/build-daily-no-build-cache.yml index 2c59b7e0afb8..226f2e6c9d93 100644 --- a/.github/workflows/build-daily-no-build-cache.yml +++ b/.github/workflows/build-daily-no-build-cache.yml @@ -33,6 +33,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - common diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml index fb016a10ee31..2225360f6524 100644 --- a/.github/workflows/build-daily.yml +++ b/.github/workflows/build-daily.yml @@ -36,6 +36,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - common diff --git a/.github/workflows/codeql-daily.yml b/.github/workflows/codeql-daily.yml index e708d8e1f1c8..29ab4ffaf318 100644 --- a/.github/workflows/codeql-daily.yml +++ b/.github/workflows/codeql-daily.yml @@ -12,6 +12,7 @@ permissions: jobs: analyze: permissions: + contents: read actions: read # for github/codeql-action/init to get workflow details security-events: write # for github/codeql-action/analyze to upload SARIF results runs-on: ubuntu-latest @@ -48,6 +49,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - analyze diff --git a/.github/workflows/issue-management-feedback-label.yml b/.github/workflows/issue-management-feedback-label.yml index 00d849d2f1ee..35fa82926aa4 100644 --- a/.github/workflows/issue-management-feedback-label.yml +++ b/.github/workflows/issue-management-feedback-label.yml @@ -4,8 +4,14 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: issue_comment: + permissions: + contents: read + issues: write if: > contains(github.event.issue.labels.*.name, 'needs author feedback') && github.event.comment.user.login == github.event.issue.user.login diff --git a/.github/workflows/issue-management-stale-action.yml b/.github/workflows/issue-management-stale-action.yml index a31271df933f..483df9b15a76 100644 --- a/.github/workflows/issue-management-stale-action.yml +++ b/.github/workflows/issue-management-stale-action.yml @@ -11,6 +11,7 @@ permissions: jobs: stale: permissions: + contents: read issues: write # for actions/stale to close stale issues pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml index aa86b6dd692d..8f64d9b34d98 100644 --- a/.github/workflows/label.yml +++ b/.github/workflows/label.yml @@ -6,12 +6,10 @@ permissions: jobs: label: - runs-on: ubuntu-latest permissions: contents: read pull-requests: write - steps: - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: diff --git a/.github/workflows/native-tests-daily.yml b/.github/workflows/native-tests-daily.yml index cc1a8e799784..8b71c862cbeb 100644 --- a/.github/workflows/native-tests-daily.yml +++ b/.github/workflows/native-tests-daily.yml @@ -17,6 +17,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - graalvm-native-tests diff --git a/.github/workflows/overhead-benchmark-daily.yml b/.github/workflows/overhead-benchmark-daily.yml index 25fc0c034cf5..ad962a3b0e3e 100644 --- a/.github/workflows/overhead-benchmark-daily.yml +++ b/.github/workflows/overhead-benchmark-daily.yml @@ -11,7 +11,7 @@ permissions: jobs: run-overhead-tests: permissions: - contents: write # for writing to the gh-pages branch + contents: write # for git push to gh-pages branch runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -56,6 +56,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - run-overhead-tests diff --git a/.github/workflows/owasp-dependency-check-daily.yml b/.github/workflows/owasp-dependency-check-daily.yml index a4d298aba553..45b81e8bf290 100644 --- a/.github/workflows/owasp-dependency-check-daily.yml +++ b/.github/workflows/owasp-dependency-check-daily.yml @@ -14,7 +14,6 @@ permissions: jobs: analyze: runs-on: ubuntu-latest - steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -45,6 +44,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - analyze diff --git a/.github/workflows/prepare-patch-release.yml b/.github/workflows/prepare-patch-release.yml index be31bb50b1af..277618de28fd 100644 --- a/.github/workflows/prepare-patch-release.yml +++ b/.github/workflows/prepare-patch-release.yml @@ -8,7 +8,7 @@ permissions: jobs: prepare-patch-release: permissions: - contents: write # for Git to git push + contents: write # for git push to PR branch runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/prepare-release-branch.yml b/.github/workflows/prepare-release-branch.yml index 18e9b527d529..59183e754624 100644 --- a/.github/workflows/prepare-release-branch.yml +++ b/.github/workflows/prepare-release-branch.yml @@ -25,7 +25,7 @@ jobs: create-pull-request-against-release-branch: permissions: - contents: write # for Git to git push + contents: write # for git push to PR branch runs-on: ubuntu-latest needs: - prereqs @@ -80,7 +80,7 @@ jobs: create-pull-request-against-main: permissions: - contents: write # for Git to git push + contents: write # for git push to PR branch runs-on: ubuntu-latest needs: - prereqs diff --git a/.github/workflows/publish-petclinic-benchmark-image.yml b/.github/workflows/publish-petclinic-benchmark-image.yml index 89fb6c2a6f27..7e6ff02be20e 100644 --- a/.github/workflows/publish-petclinic-benchmark-image.yml +++ b/.github/workflows/publish-petclinic-benchmark-image.yml @@ -40,6 +40,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-early-jdk8-images.yml b/.github/workflows/publish-smoke-test-early-jdk8-images.yml index 14f324d8799b..8c81cfa93cea 100644 --- a/.github/workflows/publish-smoke-test-early-jdk8-images.yml +++ b/.github/workflows/publish-smoke-test-early-jdk8-images.yml @@ -48,6 +48,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-fake-backend-images.yml b/.github/workflows/publish-smoke-test-fake-backend-images.yml index 7da47009d3bd..f171bdabc425 100644 --- a/.github/workflows/publish-smoke-test-fake-backend-images.yml +++ b/.github/workflows/publish-smoke-test-fake-backend-images.yml @@ -84,6 +84,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publishLinux diff --git a/.github/workflows/publish-smoke-test-grpc-images.yml b/.github/workflows/publish-smoke-test-grpc-images.yml index ce21d6f484db..2e0d4932e252 100644 --- a/.github/workflows/publish-smoke-test-grpc-images.yml +++ b/.github/workflows/publish-smoke-test-grpc-images.yml @@ -23,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-play-images.yml b/.github/workflows/publish-smoke-test-play-images.yml index b7827ce18d2c..3193dfbed86b 100644 --- a/.github/workflows/publish-smoke-test-play-images.yml +++ b/.github/workflows/publish-smoke-test-play-images.yml @@ -23,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-quarkus-images.yml b/.github/workflows/publish-smoke-test-quarkus-images.yml index a2ebdb363be2..d45f2a28d3dc 100644 --- a/.github/workflows/publish-smoke-test-quarkus-images.yml +++ b/.github/workflows/publish-smoke-test-quarkus-images.yml @@ -26,6 +26,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-security-manager-images.yml b/.github/workflows/publish-smoke-test-security-manager-images.yml index 75cd5766ba1a..1eef358bf81c 100644 --- a/.github/workflows/publish-smoke-test-security-manager-images.yml +++ b/.github/workflows/publish-smoke-test-security-manager-images.yml @@ -23,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-servlet-images.yml b/.github/workflows/publish-smoke-test-servlet-images.yml index bd4ecc5c80c6..d92a2508fff9 100644 --- a/.github/workflows/publish-smoke-test-servlet-images.yml +++ b/.github/workflows/publish-smoke-test-servlet-images.yml @@ -88,6 +88,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/publish-smoke-test-spring-boot-images.yml b/.github/workflows/publish-smoke-test-spring-boot-images.yml index 16644429f210..b46e10f6a30f 100644 --- a/.github/workflows/publish-smoke-test-spring-boot-images.yml +++ b/.github/workflows/publish-smoke-test-spring-boot-images.yml @@ -23,6 +23,7 @@ jobs: workflow-notification: permissions: + contents: read issues: write needs: - publish diff --git a/.github/workflows/release-update-cloudfoundry-index.yml b/.github/workflows/release-update-cloudfoundry-index.yml index f3c108f0f693..31863bc6215d 100644 --- a/.github/workflows/release-update-cloudfoundry-index.yml +++ b/.github/workflows/release-update-cloudfoundry-index.yml @@ -9,12 +9,12 @@ on: workflow_dispatch: permissions: - contents: write - pull-requests: write + contents: read jobs: - update-cloudfoundry-index-yml: + permissions: + contents: write # for git push to PR branch runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1b7b940be7d3..fbd39073e688 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,9 @@ name: Release on: workflow_dispatch: +permissions: + contents: read + jobs: required-jobs: uses: ./.github/workflows/build-common.yml @@ -16,6 +19,8 @@ jobs: # and this is not a reason to hold up the release release: + permissions: + contents: write # for creating the release runs-on: ubuntu-latest needs: - required-jobs @@ -181,6 +186,8 @@ jobs: echo "prior-version=$PRIOR_VERSION" >> $GITHUB_OUTPUT merge-change-log-to-main: + permissions: + contents: write # for git push to PR branch runs-on: ubuntu-latest needs: - release diff --git a/.github/workflows/reusable-native-tests.yml b/.github/workflows/reusable-native-tests.yml index 24f6f0fd0109..b72256ee0ed5 100644 --- a/.github/workflows/reusable-native-tests.yml +++ b/.github/workflows/reusable-native-tests.yml @@ -10,6 +10,9 @@ on: type: boolean required: false +permissions: + contents: read + jobs: graalvm-native-tests: if: "!inputs.skip-native-tests" diff --git a/.github/workflows/reusable-workflow-notification.yml b/.github/workflows/reusable-workflow-notification.yml index 09fee682bcbc..701f90f5a084 100644 --- a/.github/workflows/reusable-workflow-notification.yml +++ b/.github/workflows/reusable-workflow-notification.yml @@ -10,10 +10,13 @@ on: required: true permissions: - issues: write + contents: read jobs: workflow-notification: + permissions: + contents: read + issues: write runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 82aaf294bef6..9330b1276b58 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -11,21 +11,19 @@ on: push: branches: [ "main" ] -# Declare default permissions as read only. -permissions: read-all +permissions: + contents: read jobs: analysis: name: Scorecard analysis runs-on: ubuntu-latest permissions: + contents: read # Needed to upload the results to code-scanning dashboard. security-events: write # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: - name: "Checkout code"