diff --git a/.github/workflows/PR-wip-checks.yaml b/.github/workflows/PR-wip-checks.yaml index 7a5f5769f0..4f277d7688 100644 --- a/.github/workflows/PR-wip-checks.yaml +++ b/.github/workflows/PR-wip-checks.yaml @@ -9,6 +9,9 @@ on: - labeled - unlabeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 2b613d6247..ec3d85fc93 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -11,6 +11,9 @@ on: paths: - '.github/workflows/**' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/basic-ci-amd64.yaml b/.github/workflows/basic-ci-amd64.yaml index 9d155f5043..71378d76f0 100644 --- a/.github/workflows/basic-ci-amd64.yaml +++ b/.github/workflows/basic-ci-amd64.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-cri-containerd: strategy: diff --git a/.github/workflows/basic-ci-s390x.yaml b/.github/workflows/basic-ci-s390x.yaml index ad283db6e1..2ea606bafb 100644 --- a/.github/workflows/basic-ci-s390x.yaml +++ b/.github/workflows/basic-ci-s390x.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-cri-containerd: strategy: diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index 7f3112f834..b5992bf568 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -12,6 +12,9 @@ on: required: true type: string +permissions: + contents: read + name: Build checks preview riscv64 jobs: check: diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index c5aac1dae2..79b9cf580c 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -5,6 +5,9 @@ on: required: true type: string +permissions: + contents: read + name: Build checks jobs: check: diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 790baa7ba9..30891d22d4 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: ubuntu-22.04 diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index c424b9ac8d..67faeed612 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: ubuntu-22.04-arm diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 1ff5dad29f..cb14c54abf 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: permissions: diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml index e09b247b64..db858f31ab 100644 --- a/.github/workflows/build-kata-static-tarball-riscv64.yaml +++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: riscv-builder diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 5c851a1768..7bee8105d7 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: s390x diff --git a/.github/workflows/cargo-deny-runner.yaml b/.github/workflows/cargo-deny-runner.yaml index f0b1a6e361..3969ec243b 100644 --- a/.github/workflows/cargo-deny-runner.yaml +++ b/.github/workflows/cargo-deny-runner.yaml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: cargo-deny-runner: runs-on: ubuntu-22.04 diff --git a/.github/workflows/ci-coco-stability.yaml b/.github/workflows/ci-coco-stability.yaml index ea3cee2e4a..e16db3850b 100644 --- a/.github/workflows/ci-coco-stability.yaml +++ b/.github/workflows/ci-coco-stability.yaml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml index 951315ec4d..0f6a62788e 100644 --- a/.github/workflows/ci-devel.yaml +++ b/.github/workflows/ci-devel.yaml @@ -2,6 +2,9 @@ name: Kata Containers CI (manually triggered) on: workflow_dispatch: +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-nightly-s390x.yaml b/.github/workflows/ci-nightly-s390x.yaml index 46acc3e414..ddf0434eab 100644 --- a/.github/workflows/ci-nightly-s390x.yaml +++ b/.github/workflows/ci-nightly-s390x.yaml @@ -3,6 +3,10 @@ on: - cron: '0 5 * * *' name: Nightly CI for s390x + +permissions: + contents: read + jobs: check-internal-test-result: runs-on: s390x diff --git a/.github/workflows/ci-nightly.yaml b/.github/workflows/ci-nightly.yaml index 972bdf40ae..76a115becd 100644 --- a/.github/workflows/ci-nightly.yaml +++ b/.github/workflows/ci-nightly.yaml @@ -7,6 +7,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 5bce8ccc04..82224455fe 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -14,6 +14,9 @@ on: - reopened - labeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index ba7615318c..24d8361535 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -16,6 +16,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f32c712997..4e4d733041 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,6 +20,9 @@ on: type: string default: no +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml diff --git a/.github/workflows/cleanup-resources.yaml b/.github/workflows/cleanup-resources.yaml index d327ad55d6..27f42311a4 100644 --- a/.github/workflows/cleanup-resources.yaml +++ b/.github/workflows/cleanup-resources.yaml @@ -4,6 +4,9 @@ on: - cron: "0 0 * * *" workflow_dispatch: +permissions: + contents: read + jobs: cleanup-resources: runs-on: ubuntu-22.04 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index eb9802c78b..a120cb7d9e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '45 0 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) diff --git a/.github/workflows/commit-message-check.yaml b/.github/workflows/commit-message-check.yaml index 347434d990..dfee61a9b6 100644 --- a/.github/workflows/commit-message-check.yaml +++ b/.github/workflows/commit-message-check.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/darwin-tests.yaml b/.github/workflows/darwin-tests.yaml index c8fa1f4b01..7e96d6baa3 100644 --- a/.github/workflows/darwin-tests.yaml +++ b/.github/workflows/darwin-tests.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index c91308bf14..14eaa80e9b 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -2,6 +2,9 @@ on: schedule: - cron: '0 23 * * 0' +permissions: + contents: read + name: Docs URL Alive Check jobs: test: diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index 188bc9be1c..a85207f57d 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -31,6 +31,8 @@ on: skip_static: value: ${{ jobs.skipper.outputs.skip_static }} +permissions: + contents: read jobs: skipper: diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index c5c79c23c4..687e813063 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -12,6 +12,9 @@ on: - reopened - labeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/kata-runtime-classes-sync.yaml b/.github/workflows/kata-runtime-classes-sync.yaml index 80837b49d9..aa7ea7fd77 100644 --- a/.github/workflows/kata-runtime-classes-sync.yaml +++ b/.github/workflows/kata-runtime-classes-sync.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index 9fb4ddedf0..1f455284d5 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -5,6 +5,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 133bab2d5e..37eba1bf2f 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -31,6 +31,9 @@ on: required: true type: string +permissions: + contents: read + jobs: kata-payload: runs-on: ${{ inputs.runner }} diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 2c8c741764..40f8c2e58f 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index 40e623ffb4..4a98dd6829 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-arm64: uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 178957556e..6a60db833d 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-ppc64le: uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index c6902da1a5..f47337d8e5 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-s390x: uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d00e378149..a41d3ae818 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,6 +2,9 @@ name: Release Kata Containers on: workflow_dispatch +permissions: + contents: read + jobs: release: runs-on: ubuntu-22.04 diff --git a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml index 7c28a7cf7a..3c40300063 100644 --- a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml +++ b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml @@ -1,4 +1,8 @@ name: CI | Run cri-containerd tests on ppc64le + +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 9b6a0cb5ff..7aa08a4a5f 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -25,6 +25,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-k8s-tests-on-amd64.yaml b/.github/workflows/run-k8s-tests-on-amd64.yaml index 3b6e2da78b..b5ed1a965e 100644 --- a/.github/workflows/run-k8s-tests-on-amd64.yaml +++ b/.github/workflows/run-k8s-tests-on-amd64.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-amd64: strategy: diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml index b8e54fdb8e..63c999dcf6 100644 --- a/.github/workflows/run-k8s-tests-on-arm64.yaml +++ b/.github/workflows/run-k8s-tests-on-arm64.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-on-arm64: strategy: diff --git a/.github/workflows/run-k8s-tests-on-ppc64le.yaml b/.github/workflows/run-k8s-tests-on-ppc64le.yaml index f95c046a18..9ec29a7872 100644 --- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml +++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 1866c3b294..6c22545b22 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml index 142681878d..6c91d4b090 100644 --- a/.github/workflows/run-kata-coco-stability-tests.yaml +++ b/.github/workflows/run-kata-coco-stability-tests.yaml @@ -25,6 +25,9 @@ on: required: false type: string +permissions: + contents: read + jobs: # Generate jobs for testing CoCo on non-TEE environments run-stability-k8s-tests-coco-nontee: diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index c4a173eb87..46ee957470 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -25,6 +25,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-on-tdx: strategy: diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml index 9a665f02d3..d3409f040f 100644 --- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml +++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-kata-deploy-tests: strategy: diff --git a/.github/workflows/run-kata-deploy-tests.yaml b/.github/workflows/run-kata-deploy-tests.yaml index 2bd73d4b89..c184051603 100644 --- a/.github/workflows/run-kata-deploy-tests.yaml +++ b/.github/workflows/run-kata-deploy-tests.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-kata-deploy-tests: strategy: diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index 575c0c7978..986abae406 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-monitor: strategy: diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index a6074ba32a..cd00b58fd0 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-metrics: strategy: diff --git a/.github/workflows/run-runk-tests.yaml b/.github/workflows/run-runk-tests.yaml index 6e10be44e5..26155ea81f 100644 --- a/.github/workflows/run-runk-tests.yaml +++ b/.github/workflows/run-runk-tests.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-runk: # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index ea2b350c4d..621eade60d 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -10,6 +10,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/shellcheck_required.yaml b/.github/workflows/shellcheck_required.yaml index ac0768f84e..861d91a5da 100644 --- a/.github/workflows/shellcheck_required.yaml +++ b/.github/workflows/shellcheck_required.yaml @@ -11,6 +11,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index a54d7b924d..c539091ec2 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -4,6 +4,9 @@ on: - cron: '0 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: stale: runs-on: ubuntu-22.04 diff --git a/.github/workflows/static-checks-self-hosted.yaml b/.github/workflows/static-checks-self-hosted.yaml index 254e6dd7fc..a1c47c8637 100644 --- a/.github/workflows/static-checks-self-hosted.yaml +++ b/.github/workflows/static-checks-self-hosted.yaml @@ -6,6 +6,9 @@ on: - reopened - labeled # a workflow runs only when the 'ok-to-test' label is added +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml index 7299c9e691..8b00d0b74b 100644 --- a/.github/workflows/static-checks.yaml +++ b/.github/workflows/static-checks.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/src/runtime/pkg/govmm/.github/workflows/main.yml b/src/runtime/pkg/govmm/.github/workflows/main.yml index a259204b54..7da7e9e58d 100644 --- a/src/runtime/pkg/govmm/.github/workflows/main.yml +++ b/src/runtime/pkg/govmm/.github/workflows/main.yml @@ -1,5 +1,9 @@ on: ["pull_request"] name: Unit tests + +permissions: + contents: read + jobs: test: strategy: