Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add permissions to all GitHub actions #2143

Merged
merged 1 commit into from
Sep 16, 2024
+32 −0
Merged

Add permissions to all GitHub actions #2143

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/workflows/generate-code-coverage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@

name: Generate Code Coverage
on: [pull_request]

permissions:
contents: read
# upload-artifact does not need write permissions as it relies on an undocumented token
# https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436

jobs:
cover-base:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/govulncheck.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ on:
pull_request:
branches:
- 'release-*'

permissions:
contents: read

jobs:
govulncheck:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/helm-chart-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ on:
paths:
- "charts/**/Chart.yaml"

permissions:
contents: write # Create new release to host chart artifacts
pages: write # Publish chart to pages

jobs:
release:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/output-code-coverage.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ on:
workflow_run:
workflows: [Generate Code Coverage]
types: [completed]

permissions:
contents: read
pull-requests: write # Create/update comment on PRs

jobs:
output-code-coverage:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
# Sequence of patterns matched against refs/tags
tags:
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10

permissions:
contents: write # Create releases

jobs:
build:
name: Release
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/trivy-containers.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ on:
schedule:
- cron: '0 */24 * * *'

permissions:
contents: read
security-events: write # Update findings in security tab

jobs:
build-matrix:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
branches:
- master
pull_request:

permissions:
contents: read
security-events: write # Update findings in security tab

jobs:
build:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/unit-tests.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ on:
branches:
- master
pull_request:

permissions:
contents: read

jobs:
buildx:
Expand Down
Loading