From 088e97075c434c1672ab67a77bdbe058ed2bc7d4 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 28 May 2025 15:05:52 +0100 Subject: [PATCH 1/2] workflow: Add top-level permissions Set: ``` permissions: contents: read ``` as the default top-level permissions explicitly to conform to recommended security practices e.g. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions --- .github/workflows/PR-wip-checks.yaml | 3 +++ .github/workflows/actionlint.yaml | 3 +++ .github/workflows/basic-ci-amd64.yaml | 3 +++ .github/workflows/basic-ci-s390x.yaml | 3 +++ .github/workflows/build-checks-preview-riscv64.yaml | 3 +++ .github/workflows/build-checks.yaml | 3 +++ .github/workflows/build-kata-static-tarball-amd64.yaml | 3 +++ .github/workflows/build-kata-static-tarball-arm64.yaml | 3 +++ .github/workflows/build-kata-static-tarball-ppc64le.yaml | 3 +++ .github/workflows/build-kata-static-tarball-riscv64.yaml | 3 +++ .github/workflows/build-kata-static-tarball-s390x.yaml | 3 +++ .github/workflows/cargo-deny-runner.yaml | 3 +++ .github/workflows/ci-coco-stability.yaml | 3 +++ .github/workflows/ci-devel.yaml | 3 +++ .github/workflows/ci-nightly-s390x.yaml | 4 ++++ .github/workflows/ci-nightly.yaml | 3 +++ .github/workflows/ci-on-push.yaml | 3 +++ .github/workflows/ci-weekly.yaml | 3 +++ .github/workflows/ci.yaml | 3 +++ .github/workflows/cleanup-resources.yaml | 3 +++ .github/workflows/codeql.yml | 3 +++ .github/workflows/commit-message-check.yaml | 3 +++ .github/workflows/darwin-tests.yaml | 3 +++ .github/workflows/docs-url-alive-check.yaml | 3 +++ .github/workflows/gatekeeper-skipper.yaml | 2 ++ .github/workflows/gatekeeper.yaml | 3 +++ .github/workflows/kata-runtime-classes-sync.yaml | 3 +++ .github/workflows/payload-after-push.yaml | 3 +++ .github/workflows/publish-kata-deploy-payload.yaml | 3 +++ .github/workflows/release-amd64.yaml | 3 +++ .github/workflows/release-arm64.yaml | 3 +++ .github/workflows/release-ppc64le.yaml | 3 +++ .github/workflows/release-s390x.yaml | 3 +++ .github/workflows/release.yaml | 3 +++ .github/workflows/run-cri-containerd-tests-ppc64le.yaml | 4 ++++ .github/workflows/run-k8s-tests-on-aks.yaml | 3 +++ .github/workflows/run-k8s-tests-on-amd64.yaml | 3 +++ .github/workflows/run-k8s-tests-on-arm64.yaml | 3 +++ .github/workflows/run-k8s-tests-on-ppc64le.yaml | 3 +++ .github/workflows/run-k8s-tests-on-zvsi.yaml | 3 +++ .github/workflows/run-kata-coco-stability-tests.yaml | 3 +++ .github/workflows/run-kata-coco-tests.yaml | 3 +++ .github/workflows/run-kata-deploy-tests-on-aks.yaml | 3 +++ .github/workflows/run-kata-deploy-tests.yaml | 3 +++ .github/workflows/run-kata-monitor-tests.yaml | 3 +++ .github/workflows/run-metrics.yaml | 3 +++ .github/workflows/run-runk-tests.yaml | 3 +++ .github/workflows/shellcheck.yaml | 3 +++ .github/workflows/shellcheck_required.yaml | 3 +++ .github/workflows/stale.yaml | 3 +++ .github/workflows/static-checks-self-hosted.yaml | 3 +++ .github/workflows/static-checks.yaml | 3 +++ src/runtime/pkg/govmm/.github/workflows/main.yml | 4 ++++ 53 files changed, 161 insertions(+) diff --git a/.github/workflows/PR-wip-checks.yaml b/.github/workflows/PR-wip-checks.yaml index 7a5f5769f0..4f277d7688 100644 --- a/.github/workflows/PR-wip-checks.yaml +++ b/.github/workflows/PR-wip-checks.yaml @@ -9,6 +9,9 @@ on: - labeled - unlabeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 2b613d6247..ec3d85fc93 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -11,6 +11,9 @@ on: paths: - '.github/workflows/**' +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/basic-ci-amd64.yaml b/.github/workflows/basic-ci-amd64.yaml index 9d155f5043..71378d76f0 100644 --- a/.github/workflows/basic-ci-amd64.yaml +++ b/.github/workflows/basic-ci-amd64.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-cri-containerd: strategy: diff --git a/.github/workflows/basic-ci-s390x.yaml b/.github/workflows/basic-ci-s390x.yaml index ad283db6e1..2ea606bafb 100644 --- a/.github/workflows/basic-ci-s390x.yaml +++ b/.github/workflows/basic-ci-s390x.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-cri-containerd: strategy: diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index 7f3112f834..b5992bf568 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -12,6 +12,9 @@ on: required: true type: string +permissions: + contents: read + name: Build checks preview riscv64 jobs: check: diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index c5aac1dae2..79b9cf580c 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -5,6 +5,9 @@ on: required: true type: string +permissions: + contents: read + name: Build checks jobs: check: diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 790baa7ba9..30891d22d4 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: ubuntu-22.04 diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index c424b9ac8d..67faeed612 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: ubuntu-22.04-arm diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index 1ff5dad29f..cb14c54abf 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: permissions: diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml index e09b247b64..db858f31ab 100644 --- a/.github/workflows/build-kata-static-tarball-riscv64.yaml +++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: riscv-builder diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 5c851a1768..7bee8105d7 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -21,6 +21,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-asset: runs-on: s390x diff --git a/.github/workflows/cargo-deny-runner.yaml b/.github/workflows/cargo-deny-runner.yaml index f0b1a6e361..3969ec243b 100644 --- a/.github/workflows/cargo-deny-runner.yaml +++ b/.github/workflows/cargo-deny-runner.yaml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: cargo-deny-runner: runs-on: ubuntu-22.04 diff --git a/.github/workflows/ci-coco-stability.yaml b/.github/workflows/ci-coco-stability.yaml index ea3cee2e4a..e16db3850b 100644 --- a/.github/workflows/ci-coco-stability.yaml +++ b/.github/workflows/ci-coco-stability.yaml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml index 951315ec4d..0f6a62788e 100644 --- a/.github/workflows/ci-devel.yaml +++ b/.github/workflows/ci-devel.yaml @@ -2,6 +2,9 @@ name: Kata Containers CI (manually triggered) on: workflow_dispatch: +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-nightly-s390x.yaml b/.github/workflows/ci-nightly-s390x.yaml index 46acc3e414..ddf0434eab 100644 --- a/.github/workflows/ci-nightly-s390x.yaml +++ b/.github/workflows/ci-nightly-s390x.yaml @@ -3,6 +3,10 @@ on: - cron: '0 5 * * *' name: Nightly CI for s390x + +permissions: + contents: read + jobs: check-internal-test-result: runs-on: s390x diff --git a/.github/workflows/ci-nightly.yaml b/.github/workflows/ci-nightly.yaml index 972bdf40ae..76a115becd 100644 --- a/.github/workflows/ci-nightly.yaml +++ b/.github/workflows/ci-nightly.yaml @@ -7,6 +7,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: kata-containers-ci-on-push: permissions: diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 5bce8ccc04..82224455fe 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -14,6 +14,9 @@ on: - reopened - labeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index ba7615318c..24d8361535 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -16,6 +16,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f32c712997..4e4d733041 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,6 +20,9 @@ on: type: string default: no +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml diff --git a/.github/workflows/cleanup-resources.yaml b/.github/workflows/cleanup-resources.yaml index d327ad55d6..27f42311a4 100644 --- a/.github/workflows/cleanup-resources.yaml +++ b/.github/workflows/cleanup-resources.yaml @@ -4,6 +4,9 @@ on: - cron: "0 0 * * *" workflow_dispatch: +permissions: + contents: read + jobs: cleanup-resources: runs-on: ubuntu-22.04 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index eb9802c78b..a120cb7d9e 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: schedule: - cron: '45 0 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze (${{ matrix.language }}) diff --git a/.github/workflows/commit-message-check.yaml b/.github/workflows/commit-message-check.yaml index 347434d990..dfee61a9b6 100644 --- a/.github/workflows/commit-message-check.yaml +++ b/.github/workflows/commit-message-check.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/darwin-tests.yaml b/.github/workflows/darwin-tests.yaml index c8fa1f4b01..7e96d6baa3 100644 --- a/.github/workflows/darwin-tests.yaml +++ b/.github/workflows/darwin-tests.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index c91308bf14..14eaa80e9b 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -2,6 +2,9 @@ on: schedule: - cron: '0 23 * * 0' +permissions: + contents: read + name: Docs URL Alive Check jobs: test: diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index 188bc9be1c..a85207f57d 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -31,6 +31,8 @@ on: skip_static: value: ${{ jobs.skipper.outputs.skip_static }} +permissions: + contents: read jobs: skipper: diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index c5c79c23c4..687e813063 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -12,6 +12,9 @@ on: - reopened - labeled +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/kata-runtime-classes-sync.yaml b/.github/workflows/kata-runtime-classes-sync.yaml index 80837b49d9..aa7ea7fd77 100644 --- a/.github/workflows/kata-runtime-classes-sync.yaml +++ b/.github/workflows/kata-runtime-classes-sync.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index 9fb4ddedf0..1f455284d5 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -5,6 +5,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 133bab2d5e..37eba1bf2f 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -31,6 +31,9 @@ on: required: true type: string +permissions: + contents: read + jobs: kata-payload: runs-on: ${{ inputs.runner }} diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 2c8c741764..40f8c2e58f 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-amd64: uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index 40e623ffb4..4a98dd6829 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-arm64: uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 178957556e..6a60db833d 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-ppc64le: uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index c6902da1a5..f47337d8e5 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -6,6 +6,9 @@ on: required: true type: string +permissions: + contents: read + jobs: build-kata-static-tarball-s390x: uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d00e378149..a41d3ae818 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,6 +2,9 @@ name: Release Kata Containers on: workflow_dispatch +permissions: + contents: read + jobs: release: runs-on: ubuntu-22.04 diff --git a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml index 7c28a7cf7a..3c40300063 100644 --- a/.github/workflows/run-cri-containerd-tests-ppc64le.yaml +++ b/.github/workflows/run-cri-containerd-tests-ppc64le.yaml @@ -1,4 +1,8 @@ name: CI | Run cri-containerd tests on ppc64le + +permissions: + contents: read + on: workflow_call: inputs: diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 9b6a0cb5ff..7aa08a4a5f 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -25,6 +25,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-k8s-tests-on-amd64.yaml b/.github/workflows/run-k8s-tests-on-amd64.yaml index 3b6e2da78b..b5ed1a965e 100644 --- a/.github/workflows/run-k8s-tests-on-amd64.yaml +++ b/.github/workflows/run-k8s-tests-on-amd64.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-amd64: strategy: diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml index b8e54fdb8e..63c999dcf6 100644 --- a/.github/workflows/run-k8s-tests-on-arm64.yaml +++ b/.github/workflows/run-k8s-tests-on-arm64.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-on-arm64: strategy: diff --git a/.github/workflows/run-k8s-tests-on-ppc64le.yaml b/.github/workflows/run-k8s-tests-on-ppc64le.yaml index f95c046a18..9ec29a7872 100644 --- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml +++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index 1866c3b294..6c22545b22 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests: strategy: diff --git a/.github/workflows/run-kata-coco-stability-tests.yaml b/.github/workflows/run-kata-coco-stability-tests.yaml index 142681878d..6c91d4b090 100644 --- a/.github/workflows/run-kata-coco-stability-tests.yaml +++ b/.github/workflows/run-kata-coco-stability-tests.yaml @@ -25,6 +25,9 @@ on: required: false type: string +permissions: + contents: read + jobs: # Generate jobs for testing CoCo on non-TEE environments run-stability-k8s-tests-coco-nontee: diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index c4a173eb87..46ee957470 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -25,6 +25,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-k8s-tests-on-tdx: strategy: diff --git a/.github/workflows/run-kata-deploy-tests-on-aks.yaml b/.github/workflows/run-kata-deploy-tests-on-aks.yaml index 9a665f02d3..d3409f040f 100644 --- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml +++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-kata-deploy-tests: strategy: diff --git a/.github/workflows/run-kata-deploy-tests.yaml b/.github/workflows/run-kata-deploy-tests.yaml index 2bd73d4b89..c184051603 100644 --- a/.github/workflows/run-kata-deploy-tests.yaml +++ b/.github/workflows/run-kata-deploy-tests.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-kata-deploy-tests: strategy: diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index 575c0c7978..986abae406 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-monitor: strategy: diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index a6074ba32a..cd00b58fd0 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -22,6 +22,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-metrics: strategy: diff --git a/.github/workflows/run-runk-tests.yaml b/.github/workflows/run-runk-tests.yaml index 6e10be44e5..26155ea81f 100644 --- a/.github/workflows/run-runk-tests.yaml +++ b/.github/workflows/run-runk-tests.yaml @@ -13,6 +13,9 @@ on: type: string default: "" +permissions: + contents: read + jobs: run-runk: # Skip runk tests as we have no maintainers. TODO: Decide when to remove altogether diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index ea2b350c4d..621eade60d 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -10,6 +10,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/shellcheck_required.yaml b/.github/workflows/shellcheck_required.yaml index ac0768f84e..861d91a5da 100644 --- a/.github/workflows/shellcheck_required.yaml +++ b/.github/workflows/shellcheck_required.yaml @@ -11,6 +11,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index a54d7b924d..c539091ec2 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -4,6 +4,9 @@ on: - cron: '0 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: stale: runs-on: ubuntu-22.04 diff --git a/.github/workflows/static-checks-self-hosted.yaml b/.github/workflows/static-checks-self-hosted.yaml index 254e6dd7fc..a1c47c8637 100644 --- a/.github/workflows/static-checks-self-hosted.yaml +++ b/.github/workflows/static-checks-self-hosted.yaml @@ -6,6 +6,9 @@ on: - reopened - labeled # a workflow runs only when the 'ok-to-test' label is added +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml index 7299c9e691..8b00d0b74b 100644 --- a/.github/workflows/static-checks.yaml +++ b/.github/workflows/static-checks.yaml @@ -6,6 +6,9 @@ on: - reopened - synchronize +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true diff --git a/src/runtime/pkg/govmm/.github/workflows/main.yml b/src/runtime/pkg/govmm/.github/workflows/main.yml index a259204b54..7da7e9e58d 100644 --- a/src/runtime/pkg/govmm/.github/workflows/main.yml +++ b/src/runtime/pkg/govmm/.github/workflows/main.yml @@ -1,5 +1,9 @@ on: ["pull_request"] name: Unit tests + +permissions: + contents: read + jobs: test: strategy: From c34416f53a6d7fbff37240da59c45b7beca18c41 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 28 May 2025 12:03:14 +0100 Subject: [PATCH 2/2] workflows: Add explicit permissions where needed We have a number of jobs that either need,or nest workflows that need gh permissions, such as for pushing to ghcr, or doing attest build provenance. This means they need write permissions on things like `packages`, `id-token` and `attestations`, so we need to set these permissions at the job-level (along with `contents: read`), so they are not restricted by our safe defaults. Signed-off-by: stevenhorsman --- .../build-kata-static-tarball-amd64.yaml | 9 +++++ .../build-kata-static-tarball-arm64.yaml | 9 +++++ .../build-kata-static-tarball-ppc64le.yaml | 9 +++++ .../build-kata-static-tarball-s390x.yaml | 12 ++++++ .github/workflows/ci-weekly.yaml | 11 ++++++ .github/workflows/ci.yaml | 38 +++++++++++++++++++ .github/workflows/gatekeeper.yaml | 1 + .github/workflows/payload-after-push.yaml | 15 ++++++++ .../publish-kata-deploy-payload.yaml | 3 ++ .github/workflows/release-amd64.yaml | 3 ++ .github/workflows/release-arm64.yaml | 3 ++ .github/workflows/release-ppc64le.yaml | 3 ++ .github/workflows/release-s390x.yaml | 3 ++ 13 files changed, 119 insertions(+) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 30891d22d4..c9bf85f4b3 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -153,6 +153,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04 needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -250,6 +253,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -307,6 +313,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 67faeed612..e11ef5a205 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -133,6 +133,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04-arm needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -222,6 +225,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -277,6 +283,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index cb14c54abf..94f7db4019 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -86,6 +86,9 @@ jobs: build-asset-rootfs: runs-on: ppc64le needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -161,6 +164,9 @@ jobs: build-asset-shim-v2: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -216,6 +222,9 @@ jobs: create-kata-tarball: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 7bee8105d7..847876a834 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -115,6 +115,9 @@ jobs: build-asset-rootfs: runs-on: s390x needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -178,6 +181,9 @@ jobs: build-asset-boot-image-se: runs-on: s390x needs: [build-asset, build-asset-rootfs] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 @@ -238,6 +244,9 @@ jobs: build-asset-shim-v2: runs-on: s390x needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -299,6 +308,9 @@ jobs: - build-asset-rootfs - build-asset-boot-image-se - build-asset-shim-v2 + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index 24d8361535..addeb5a2e3 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -21,6 +21,11 @@ permissions: jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -29,6 +34,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -42,6 +50,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4e4d733041..551ebe2f3b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,6 +25,11 @@ permissions: jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -33,6 +38,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -46,6 +54,11 @@ jobs: secrets: inherit build-kata-static-tarball-arm64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -54,6 +67,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -67,6 +83,11 @@ jobs: secrets: inherit build-kata-static-tarball-s390x: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -75,6 +96,9 @@ jobs: secrets: inherit build-kata-static-tarball-ppc64le: + permissions: + contents: read + packages: write uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -82,6 +106,11 @@ jobs: target-branch: ${{ inputs.target-branch }} build-kata-static-tarball-riscv64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -91,6 +120,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -105,6 +137,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -118,6 +153,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index 687e813063..687f12aa94 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -26,6 +26,7 @@ jobs: actions: read contents: read issues: read + pull-requests: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index 1f455284d5..beab04a9c4 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -64,6 +64,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-assets-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -77,6 +80,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-assets-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -90,6 +96,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-assets-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -103,6 +112,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-assets-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -116,6 +128,9 @@ jobs: publish-manifest: runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le] steps: - name: Checkout repository diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 37eba1bf2f..f6298a5315 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -36,6 +36,9 @@ permissions: jobs: kata-payload: + permissions: + contents: read + packages: write runs-on: ${{ inputs.runner }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 40f8c2e58f..847e2caee6 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index 4a98dd6829..bbe4271922 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04-arm steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 6a60db833d..534371b32b 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write runs-on: ppc64le steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index f47337d8e5..684b227f45 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write runs-on: s390x steps: - name: Login to Kata Containers docker.io