diff --git a/.github/workflows/PR-wip-checks.yaml b/.github/workflows/PR-wip-checks.yaml index 7a5f5769f0..4f277d7688 100644 --- a/.github/workflows/PR-wip-checks.yaml +++ b/.github/workflows/PR-wip-checks.yaml @@ -9,6 +9,9 @@ on: - labeled - unlabeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 2b613d6247..ec3d85fc93 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -11,6 +11,9 @@ on: paths: - '.github/workflows/**' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/basic-ci-amd64.yaml b/.github/workflows/basic-ci-amd64.yaml index 9d155f5043..71378d76f0 100644 --- a/.github/workflows/basic-ci-amd64.yaml +++ b/.github/workflows/basic-ci-amd64.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-cri-containerd: strategy: diff --git a/.github/workflows/basic-ci-s390x.yaml b/.github/workflows/basic-ci-s390x.yaml index ad283db6e1..2ea606bafb 100644 --- a/.github/workflows/basic-ci-s390x.yaml +++ b/.github/workflows/basic-ci-s390x.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-cri-containerd: strategy: diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index 7f3112f834..b5992bf568 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -12,6 +12,9 @@ on: required: true type: string +permissions: + contents: read + name: Build checks preview riscv64 jobs: check: diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index c5aac1dae2..79b9cf580c 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -5,6 +5,9 @@ on: required: true type: string +permissions: + contents: read + name: Build checks jobs: check: diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 790baa7ba9..c9bf85f4b3 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: ubuntu-22.04 @@ -150,6 +153,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04 needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -247,6 +253,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -304,6 +313,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index c424b9ac8d..e11ef5a205 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: ubuntu-22.04-arm @@ -130,6 +133,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04-arm needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -219,6 +225,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -274,6 +283,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 1ff5dad29f..94f7db4019 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: permissions: @@ -83,6 +86,9 @@ jobs: build-asset-rootfs: runs-on: ppc64le needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -158,6 +164,9 @@ jobs: build-asset-shim-v2: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -213,6 +222,9 @@ jobs: create-kata-tarball: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml index e09b247b64..db858f31ab 100644 --- a/.github/workflows/build-kata-static-tarball-riscv64.yaml +++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: riscv-builder diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 5c851a1768..847876a834 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: s390x @@ -112,6 +115,9 @@ jobs: build-asset-rootfs: runs-on: s390x needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -175,6 +181,9 @@ jobs: build-asset-boot-image-se: runs-on: s390x needs: [build-asset, build-asset-rootfs] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 @@ -235,6 +244,9 @@ jobs: build-asset-shim-v2: runs-on: s390x needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -296,6 +308,9 @@ jobs: - build-asset-rootfs - build-asset-boot-image-se - build-asset-shim-v2 + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/cargo-deny-runner.yaml b/.github/workflows/cargo-deny-runner.yaml index f0b1a6e361..3969ec243b 100644 --- a/.github/workflows/cargo-deny-runner.yaml +++ b/.github/workflows/cargo-deny-runner.yaml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: cargo-deny-runner: runs-on: ubuntu-22.04 diff --git a/.github/workflows/ci-coco-stability.yaml b/.github/workflows/ci-coco-stability.yaml index ea3cee2e4a..e16db3850b 100644 --- a/.github/workflows/ci-coco-stability.yaml +++ b/.github/workflows/ci-coco-stability.yaml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml index 951315ec4d..0f6a62788e 100644 --- a/.github/workflows/ci-devel.yaml +++ b/.github/workflows/ci-devel.yaml @@ -2,6 +2,9 @@ name: Kata Containers CI (manually triggered) on: workflow_dispatch: +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-nightly-s390x.yaml b/.github/workflows/ci-nightly-s390x.yaml index 46acc3e414..ddf0434eab 100644 --- a/.github/workflows/ci-nightly-s390x.yaml +++ b/.github/workflows/ci-nightly-s390x.yaml @@ -3,6 +3,10 @@ on: - cron: '0 5 * * *' name: Nightly CI for s390x + +permissions: + contents: read + jobs: check-internal-test-result: runs-on: s390x diff --git a/.github/workflows/ci-nightly.yaml b/.github/workflows/ci-nightly.yaml index 972bdf40ae..76a115becd 100644 --- a/.github/workflows/ci-nightly.yaml +++ b/.github/workflows/ci-nightly.yaml @@ -7,6 +7,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 5bce8ccc04..82224455fe 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -14,6 +14,9 @@ on: - reopened - labeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index ba7615318c..addeb5a2e3 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -16,8 +16,16 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -26,6 +34,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -39,6 +50,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f32c712997..551ebe2f3b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,8 +20,16 @@ on: type: string default: no +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -30,6 +38,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -43,6 +54,11 @@ jobs: secrets: inherit build-kata-static-tarball-arm64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -51,6 +67,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -64,6 +83,11 @@ jobs: secrets: inherit build-kata-static-tarball-s390x: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -72,6 +96,9 @@ jobs: secrets: inherit build-kata-static-tarball-ppc64le: + permissions: + contents: read + packages: write uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -79,6 +106,11 @@ jobs: target-branch: ${{ inputs.target-branch }} build-kata-static-tarball-riscv64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -88,6 +120,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -102,6 +137,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -115,6 +153,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/cleanup-resources.yaml b/.github/workflows/cleanup-resources.yaml index d327ad55d6..27f42311a4 100644 --- a/.github/workflows/cleanup-resources.yaml +++ b/.github/workflows/cleanup-resources.yaml @@ -4,6 +4,9 @@ on: - cron: "0 0 * * *" workflow_dispatch: +permissions: + contents: read + jobs: cleanup-resources: runs-on: ubuntu-22.04 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index eb9802c78b..a120cb7d9e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '45 0 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) diff --git a/.github/workflows/commit-message-check.yaml b/.github/workflows/commit-message-check.yaml index 347434d990..dfee61a9b6 100644 --- a/.github/workflows/commit-message-check.yaml +++ b/.github/workflows/commit-message-check.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/darwin-tests.yaml b/.github/workflows/darwin-tests.yaml index c8fa1f4b01..7e96d6baa3 100644 --- a/.github/workflows/darwin-tests.yaml +++ b/.github/workflows/darwin-tests.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index c91308bf14..14eaa80e9b 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -2,6 +2,9 @@ on: schedule: - cron: '0 23 * * 0' +permissions: + contents: read + name: Docs URL Alive Check jobs: test: diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index 188bc9be1c..a85207f57d 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -31,6 +31,8 @@ on: skip_static: value: ${{ jobs.skipper.outputs.skip_static }} +permissions: + contents: read jobs: skipper: diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index c5c79c23c4..687f12aa94 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -12,6 +12,9 @@ on: - reopened - labeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true @@ -23,6 +26,7 @@ jobs: actions: read contents: read issues: read + pull-requests: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/kata-runtime-classes-sync.yaml b/.github/workflows/kata-runtime-classes-sync.yaml index 80837b49d9..aa7ea7fd77 100644 --- a/.github/workflows/kata-runtime-classes-sync.yaml +++ b/.github/workflows/kata-runtime-classes-sync.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index 9fb4ddedf0..beab04a9c4 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -5,6 +5,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -61,6 +64,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-assets-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -74,6 +80,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-assets-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -87,6 +96,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-assets-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -100,6 +112,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-assets-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -113,6 +128,9 @@ jobs: publish-manifest: runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le] steps: - name: Checkout repository diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 133bab2d5e..f6298a5315 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -31,8 +31,14 @@ on: required: true type: string +permissions: + contents: read + jobs: kata-payload: + permissions: + contents: read + packages: write runs-on: ${{ inputs.runner }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 2c8c741764..847e2caee6 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml @@ -16,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index 40e623ffb4..bbe4271922 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-arm64: uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml @@ -16,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04-arm steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 178957556e..534371b32b 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-ppc64le: uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -16,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write runs-on: ppc64le steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index c6902da1a5..684b227f45 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-s390x: uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml @@ -16,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write runs-on: s390x steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d00e378149..a41d3ae818 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,6 +2,9 @@ name: Release Kata Containers on: workflow_dispatch +permissions: + contents: read + jobs: release: runs-on: ubuntu-22.04 diff --git a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml index 7c28a7cf7a..3c40300063 100644 --- a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml +++ b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml @@ -1,4 +1,8 @@ name: CI | Run cri-containerd tests on ppc64le + +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 9b6a0cb5ff..7aa08a4a5f 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -25,6 +25,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-k8s-tests-on-amd64.yaml b/.github/workflows/run-k8s-tests-on-amd64.yaml index 3b6e2da78b..b5ed1a965e 100644 --- a/.github/workflows/run-k8s-tests-on-amd64.yaml +++ b/.github/workflows/run-k8s-tests-on-amd64.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-amd64: strategy: diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml index b8e54fdb8e..63c999dcf6 100644 --- a/.github/workflows/run-k8s-tests-on-arm64.yaml +++ b/.github/workflows/run-k8s-tests-on-arm64.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-on-arm64: strategy: diff --git a/.github/workflows/run-k8s-tests-on-ppc64le.yaml b/.github/workflows/run-k8s-tests-on-ppc64le.yaml index f95c046a18..9ec29a7872 100644 --- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml +++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 1866c3b294..6c22545b22 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml index 142681878d..6c91d4b090 100644 --- a/.github/workflows/run-kata-coco-stability-tests.yaml +++ b/.github/workflows/run-kata-coco-stability-tests.yaml @@ -25,6 +25,9 @@ on: required: false type: string +permissions: + contents: read + jobs: # Generate jobs for testing CoCo on non-TEE environments run-stability-k8s-tests-coco-nontee: diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index c4a173eb87..46ee957470 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -25,6 +25,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-on-tdx: strategy: diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml index 9a665f02d3..d3409f040f 100644 --- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml +++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-kata-deploy-tests: strategy: diff --git a/.github/workflows/run-kata-deploy-tests.yaml b/.github/workflows/run-kata-deploy-tests.yaml index 2bd73d4b89..c184051603 100644 --- a/.github/workflows/run-kata-deploy-tests.yaml +++ b/.github/workflows/run-kata-deploy-tests.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-kata-deploy-tests: strategy: diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index 575c0c7978..986abae406 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-monitor: strategy: diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index a6074ba32a..cd00b58fd0 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-metrics: strategy: diff --git a/.github/workflows/run-runk-tests.yaml b/.github/workflows/run-runk-tests.yaml index 6e10be44e5..26155ea81f 100644 --- a/.github/workflows/run-runk-tests.yaml +++ b/.github/workflows/run-runk-tests.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-runk: # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index ea2b350c4d..621eade60d 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -10,6 +10,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/shellcheck_required.yaml b/.github/workflows/shellcheck_required.yaml index ac0768f84e..861d91a5da 100644 --- a/.github/workflows/shellcheck_required.yaml +++ b/.github/workflows/shellcheck_required.yaml @@ -11,6 +11,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index a54d7b924d..c539091ec2 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -4,6 +4,9 @@ on: - cron: '0 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: stale: runs-on: ubuntu-22.04 diff --git a/.github/workflows/static-checks-self-hosted.yaml b/.github/workflows/static-checks-self-hosted.yaml index 254e6dd7fc..a1c47c8637 100644 --- a/.github/workflows/static-checks-self-hosted.yaml +++ b/.github/workflows/static-checks-self-hosted.yaml @@ -6,6 +6,9 @@ on: - reopened - labeled # a workflow runs only when the 'ok-to-test' label is added +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml index 7299c9e691..8b00d0b74b 100644 --- a/.github/workflows/static-checks.yaml +++ b/.github/workflows/static-checks.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/src/runtime/pkg/govmm/.github/workflows/main.yml b/src/runtime/pkg/govmm/.github/workflows/main.yml index a259204b54..7da7e9e58d 100644 --- a/src/runtime/pkg/govmm/.github/workflows/main.yml +++ b/src/runtime/pkg/govmm/.github/workflows/main.yml @@ -1,5 +1,9 @@ on: ["pull_request"] name: Unit tests + +permissions: + contents: read + jobs: test: strategy: