github/falco
1
0
Fork 0
mirror of https://github.com/falcosecurity/falco.git synced 2025-06-29 08:07:24 +00:00
Code Issues Projects Releases Wiki Activity

fixed the token-permission and pinned-dependencies issue

Browse Source 
Signed-off-by: harshitasao <harshitasao@gmail.com>
This commit is contained in:
harshitasao 2024-08-18 01:27:46 +05:30 committed by poiana
parent 4053c6e1cc
commit 9f180b989a
13 changed files with 41 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/ci.yml vendored
View File

@ -12,6 +12,9 @@ concurrency:
group: ${{ github.head_ref || github.run_id }} group: ${{ github.head_ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
fetch-version: fetch-version:
uses: ./.github/workflows/reusable_fetch_version.yaml uses: ./.github/workflows/reusable_fetch_version.yaml

3
.github/workflows/codeql.yaml vendored
View File

@ -18,6 +18,9 @@ on:
# The branches below must be a subset of the branches above # The branches below must be a subset of the branches above
branches: [ "master" ] branches: [ "master" ]
permissions:
contents: read
jobs: jobs:
analyze: analyze:
name: Analyze name: Analyze

3
.github/workflows/codespell.yml vendored
View File

@ -1,6 +1,9 @@
name: Codespell name: Codespell
on: on:
pull_request: pull_request:
permissions:
contents: read
jobs: jobs:
codespell: codespell:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/engine-version-weakcheck.yaml vendored
View File

@ -9,6 +9,9 @@ on:
- 'userspace/engine/*.cpp' - 'userspace/engine/*.cpp'
- 'userspace/engine/*.h' - 'userspace/engine/*.h'
permissions:
contents: read
jobs: jobs:
paths-filter: paths-filter:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/insecure-api.yaml vendored
View File

@ -6,6 +6,9 @@ on:
- 'release/**' - 'release/**'
- 'maintainers/**' - 'maintainers/**'
permissions:
contents: read
jobs: jobs:
insecure-api: insecure-api:
name: check-insecure-api name: check-insecure-api

3
.github/workflows/master.yaml vendored
View File

@ -8,6 +8,9 @@ concurrency:
group: ci-master group: ci-master
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
fetch-version: fetch-version:
uses: ./.github/workflows/reusable_fetch_version.yaml uses: ./.github/workflows/reusable_fetch_version.yaml

5
.github/workflows/release.yaml vendored
View File

@ -8,6 +8,9 @@ concurrency:
group: ci-release group: ci-release
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
release-settings: release-settings:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -16,7 +19,7 @@ jobs:
bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }} bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
steps: steps:
- name: Get latest release - name: Get latest release
uses: rez0n/actions-github-release@v2.0 uses: rez0n/actions-github-release@27a57820ee808f8fd940c8a9d1f7188f854aa2b5 # v2.0
id: latest_release id: latest_release
env: env:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}

3
.github/workflows/reusable_build_dev.yaml vendored
View File

@ -33,6 +33,9 @@ on:
default: '' default: ''
type: string type: string
permissions:
contents: read
jobs: jobs:
build-and-test: build-and-test:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936 # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

3
.github/workflows/reusable_build_docker.yaml vendored
View File

@ -24,6 +24,9 @@ on:
# then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow. # then we upload all the tarballs to be later downloaded by reusable_publish_docker workflow.
# In this way, we don't need to publish any arch specific image, # In this way, we don't need to publish any arch specific image,
# and this "build" workflow is actually only building images. # and this "build" workflow is actually only building images.
permissions:
contents: read
jobs: jobs:
build-docker: build-docker:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936 # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

3
.github/workflows/reusable_build_packages.yaml vendored
View File

@ -21,6 +21,9 @@ on:
type: boolean type: boolean
default: false default: false
permissions:
contents: read
jobs: jobs:
build-modern-bpf-skeleton: build-modern-bpf-skeleton:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936 # See https://github.com/actions/runner/issues/409#issuecomment-1158849936

3
.github/workflows/reusable_fetch_version.yaml vendored
View File

@ -6,6 +6,9 @@ on:
description: "Falco version" description: "Falco version"
value: ${{ jobs.fetch-version.outputs.version }} value: ${{ jobs.fetch-version.outputs.version }}
permissions:
contents: read
jobs: jobs:
# We need to use an ubuntu-latest to fetch Falco version because # We need to use an ubuntu-latest to fetch Falco version because
# Falco version is computed by some cmake scripts that do git sorceries # Falco version is computed by some cmake scripts that do git sorceries

5
.github/workflows/reusable_test_packages.yaml vendored
View File

@ -21,6 +21,9 @@ on:
default: false default: false
type: boolean type: boolean
permissions:
contents: read
jobs: jobs:
test-packages: test-packages:
# See https://github.com/actions/runner/issues/409#issuecomment-1158849936 # See https://github.com/actions/runner/issues/409#issuecomment-1158849936
@ -54,7 +57,7 @@ jobs:
- name: Run tests - name: Run tests
env: env:
LSAN_OPTIONS: "intercept_tls_get_addr=0" LSAN_OPTIONS: "intercept_tls_get_addr=0"
uses: falcosecurity/testing@main uses: falcosecurity/testing@32e319ae505fb330ae74db4502e605a5e517ff22 # main
with: with:
test-falco: 'true' test-falco: 'true'
test-falcoctl: 'true' test-falcoctl: 'true'

3
.github/workflows/staticanalysis.yaml vendored
View File

@ -1,6 +1,9 @@
name: StaticAnalysis name: StaticAnalysis
on: on:
pull_request: pull_request:
permissions:
contents: read
jobs: jobs:
staticanalysis: staticanalysis:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04