github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-18 09:23:10 +00:00
Code Issues Projects Releases Wiki Activity

workflow: Add top-level permissions

Browse Source 
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
This commit is contained in:
stevenhorsman 2025-05-28 15:05:52 +01:00
parent 353d0822fd
commit 088e97075c
53 changed files with 161 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/PR-wip-checks.yaml vendored
View File

@ -9,6 +9,9 @@ on:
- labeled - labeled
- unlabeled - unlabeled
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/actionlint.yaml vendored
View File

@ -11,6 +11,9 @@ on:
paths: paths:
- '.github/workflows/**' - '.github/workflows/**'
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/basic-ci-amd64.yaml vendored
View File

@ -13,6 +13,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-cri-containerd: run-cri-containerd:
strategy: strategy:

3
.github/workflows/basic-ci-s390x.yaml vendored
View File

@ -13,6 +13,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-cri-containerd: run-cri-containerd:
strategy: strategy:

3
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@ -12,6 +12,9 @@ on:
required: true required: true
type: string type: string
permissions:
contents: read
name: Build checks preview riscv64 name: Build checks preview riscv64
jobs: jobs:
check: check:

3
.github/workflows/build-checks.yaml vendored
View File

@ -5,6 +5,9 @@ on:
required: true required: true
type: string type: string
permissions:
contents: read
name: Build checks name: Build checks
jobs: jobs:
check: check:

3
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@ -21,6 +21,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04

3
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@ -21,6 +21,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
runs-on: ubuntu-22.04-arm runs-on: ubuntu-22.04-arm

3
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@ -21,6 +21,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
permissions: permissions:

3
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@ -21,6 +21,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
runs-on: riscv-builder runs-on: riscv-builder

3
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@ -21,6 +21,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
build-asset: build-asset:
runs-on: s390x runs-on: s390x

3
.github/workflows/cargo-deny-runner.yaml vendored
View File

@ -11,6 +11,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
cargo-deny-runner: cargo-deny-runner:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04

3
.github/workflows/ci-coco-stability.yaml vendored
View File

@ -8,6 +8,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
permissions: permissions:

3
.github/workflows/ci-devel.yaml vendored
View File

@ -2,6 +2,9 @@ name: Kata Containers CI (manually triggered)
on: on:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
permissions: permissions:

4
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@ -3,6 +3,10 @@ on:
- cron: '0 5 * * *' - cron: '0 5 * * *'
name: Nightly CI for s390x name: Nightly CI for s390x
permissions:
contents: read
jobs: jobs:
check-internal-test-result: check-internal-test-result:
runs-on: s390x runs-on: s390x

3
.github/workflows/ci-nightly.yaml vendored
View File

@ -7,6 +7,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
permissions: permissions:

3
.github/workflows/ci-on-push.yaml vendored
View File

@ -14,6 +14,9 @@ on:
- reopened - reopened
- labeled - labeled
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/ci-weekly.yaml vendored
View File

@ -16,6 +16,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml

3
.github/workflows/ci.yaml vendored
View File

@ -20,6 +20,9 @@ on:
type: string type: string
default: no default: no
permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml

3
.github/workflows/cleanup-resources.yaml vendored
View File

@ -4,6 +4,9 @@ on:
- cron: "0 0 * * *" - cron: "0 0 * * *"
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
cleanup-resources: cleanup-resources:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04

3
.github/workflows/codeql.yml vendored
View File

@ -19,6 +19,9 @@ on:
schedule: schedule:
- cron: '45 0 * * 1' - cron: '45 0 * * 1'
permissions:
contents: read
jobs: jobs:
analyze: analyze:
name: Analyze (${{ matrix.language }}) name: Analyze (${{ matrix.language }})

3
.github/workflows/commit-message-check.yaml vendored
View File

@ -6,6 +6,9 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/darwin-tests.yaml vendored
View File

@ -6,6 +6,9 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/docs-url-alive-check.yaml vendored
View File

@ -2,6 +2,9 @@ on:
schedule: schedule:
- cron: '0 23 * * 0' - cron: '0 23 * * 0'
permissions:
contents: read
name: Docs URL Alive Check name: Docs URL Alive Check
jobs: jobs:
test: test:

2
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@ -31,6 +31,8 @@ on:
skip_static: skip_static:
value: ${{ jobs.skipper.outputs.skip_static }} value: ${{ jobs.skipper.outputs.skip_static }}
permissions:
contents: read
jobs: jobs:
skipper: skipper:

3
.github/workflows/gatekeeper.yaml vendored
View File

@ -12,6 +12,9 @@ on:
- reopened - reopened
- labeled - labeled
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/kata-runtime-classes-sync.yaml vendored
View File

@ -6,6 +6,9 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/payload-after-push.yaml vendored
View File

@ -5,6 +5,9 @@ on:
- main - main
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@ -31,6 +31,9 @@ on:
required: true required: true
type: string type: string
permissions:
contents: read
jobs: jobs:
kata-payload: kata-payload:
runs-on: ${{ inputs.runner }} runs-on: ${{ inputs.runner }}

3
.github/workflows/release-amd64.yaml vendored
View File

@ -6,6 +6,9 @@ on:
required: true required: true
type: string type: string
permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml

3
.github/workflows/release-arm64.yaml vendored
View File

@ -6,6 +6,9 @@ on:
required: true required: true
type: string type: string
permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-arm64: build-kata-static-tarball-arm64:
uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml

3
.github/workflows/release-ppc64le.yaml vendored
View File

@ -6,6 +6,9 @@ on:
required: true required: true
type: string type: string
permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-ppc64le: build-kata-static-tarball-ppc64le:
uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml

3
.github/workflows/release-s390x.yaml vendored
View File

@ -6,6 +6,9 @@ on:
required: true required: true
type: string type: string
permissions:
contents: read
jobs: jobs:
build-kata-static-tarball-s390x: build-kata-static-tarball-s390x:
uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml

3
.github/workflows/release.yaml vendored
View File

@ -2,6 +2,9 @@ name: Release Kata Containers
on: on:
workflow_dispatch workflow_dispatch
permissions:
contents: read
jobs: jobs:
release: release:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04

4
.github/workflows/run-cri-containerd-tests-ppc64le.yaml vendored
View File

@ -1,4 +1,8 @@
name: CI | Run cri-containerd tests on ppc64le name: CI | Run cri-containerd tests on ppc64le
permissions:
contents: read
on: on:
workflow_call: workflow_call:
inputs: inputs:

3
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@ -25,6 +25,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-k8s-tests: run-k8s-tests:
strategy: strategy:

3
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@ -22,6 +22,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-k8s-tests-amd64: run-k8s-tests-amd64:
strategy: strategy:

3
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@ -22,6 +22,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-k8s-tests-on-arm64: run-k8s-tests-on-arm64:
strategy: strategy:

3
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@ -22,6 +22,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-k8s-tests: run-k8s-tests:
strategy: strategy:

3
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@ -22,6 +22,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-k8s-tests: run-k8s-tests:
strategy: strategy:

3
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@ -25,6 +25,9 @@ on:
required: false required: false
type: string type: string
permissions:
contents: read
jobs: jobs:
# Generate jobs for testing CoCo on non-TEE environments # Generate jobs for testing CoCo on non-TEE environments
run-stability-k8s-tests-coco-nontee: run-stability-k8s-tests-coco-nontee:

3
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@ -25,6 +25,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-k8s-tests-on-tdx: run-k8s-tests-on-tdx:
strategy: strategy:

3
.github/workflows/run-kata-deploy-tests-on-aks.yaml vendored
View File

@ -22,6 +22,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-kata-deploy-tests: run-kata-deploy-tests:
strategy: strategy:

3
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@ -22,6 +22,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-kata-deploy-tests: run-kata-deploy-tests:
strategy: strategy:

3
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@ -13,6 +13,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-monitor: run-monitor:
strategy: strategy:

3
.github/workflows/run-metrics.yaml vendored
View File

@ -22,6 +22,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-metrics: run-metrics:
strategy: strategy:

3
.github/workflows/run-runk-tests.yaml vendored
View File

@ -13,6 +13,9 @@ on:
type: string type: string
default: "" default: ""
permissions:
contents: read
jobs: jobs:
run-runk: run-runk:
# Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether

3
.github/workflows/shellcheck.yaml vendored
View File

@ -10,6 +10,9 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/shellcheck_required.yaml vendored
View File

@ -11,6 +11,9 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/stale.yaml vendored
View File

@ -4,6 +4,9 @@ on:
- cron: '0 0 * * *' - cron: '0 0 * * *'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
stale: stale:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04

3
.github/workflows/static-checks-self-hosted.yaml vendored
View File

@ -6,6 +6,9 @@ on:
- reopened - reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added - labeled # a workflow runs only when the 'ok-to-test' label is added
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/static-checks.yaml vendored
View File

@ -6,6 +6,9 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true

4
src/runtime/pkg/govmm/.github/workflows/main.yml vendored
View File

@ -1,5 +1,9 @@
on: ["pull_request"] on: ["pull_request"]
name: Unit tests name: Unit tests
permissions:
contents: read
jobs: jobs:
test: test:
strategy: strategy: