github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-05 19:47:53 +00:00
Code Issues Projects Releases Wiki Activity

workflows: Add explicit permissions for attestation

Browse Source 
We have a number of jobs that nest the build-static-tarball
workflows later on. Due to these doing attest build provenance,
and pushing to ghcr.io, t hey need write permissions on
`packages`, `id-token` and `attestations`, so we need to set
these permissions on the top-level jobs (along with `contents: read`),
so they are not blocked.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2025-05-28 12:03:14 +01:00
parent aab6caa141
commit 3ff602c1e8
7 changed files with 59 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@ -23,6 +23,9 @@ on:
jobs: jobs:
build-asset: build-asset:
permissions:
contents: read
packages: write
runs-on: ppc64le runs-on: ppc64le
strategy: strategy:
matrix: matrix:

5
.github/workflows/ci-coco-stability.yaml vendored
View File

@ -10,6 +10,11 @@ concurrency:
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci-weekly.yaml uses: ./.github/workflows/ci-weekly.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}

5
.github/workflows/ci-devel.yaml vendored
View File

@ -4,6 +4,11 @@ on:
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci.yaml uses: ./.github/workflows/ci.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}

5
.github/workflows/ci-nightly.yaml vendored
View File

@ -9,6 +9,11 @@ concurrency:
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci.yaml uses: ./.github/workflows/ci.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}

5
.github/workflows/ci-on-push.yaml vendored
View File

@ -29,6 +29,11 @@ jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:
needs: skipper needs: skipper
if: ${{ needs.skipper.outputs.skip_build != 'yes' }} if: ${{ needs.skipper.outputs.skip_build != 'yes' }}
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/ci.yaml uses: ./.github/workflows/ci.yaml
with: with:
commit-hash: ${{ github.event.pull_request.head.sha }} commit-hash: ${{ github.event.pull_request.head.sha }}

18
.github/workflows/payload-after-push.yaml vendored
View File

@ -10,6 +10,11 @@ concurrency:
jobs: jobs:
build-assets-amd64: build-assets-amd64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}
@ -18,6 +23,11 @@ jobs:
secrets: inherit secrets: inherit
build-assets-arm64: build-assets-arm64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}
@ -26,6 +36,11 @@ jobs:
secrets: inherit secrets: inherit
build-assets-s390x: build-assets-s390x:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}
@ -34,6 +49,9 @@ jobs:
secrets: inherit secrets: inherit
build-assets-ppc64le: build-assets-ppc64le:
permissions:
contents: read
packages: write
uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}

18
.github/workflows/release.yaml vendored
View File

@ -19,6 +19,11 @@ jobs:
build-and-push-assets-amd64: build-and-push-assets-amd64:
needs: release needs: release
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/release-amd64.yaml uses: ./.github/workflows/release-amd64.yaml
with: with:
target-arch: amd64 target-arch: amd64
@ -26,6 +31,11 @@ jobs:
build-and-push-assets-arm64: build-and-push-assets-arm64:
needs: release needs: release
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/release-arm64.yaml uses: ./.github/workflows/release-arm64.yaml
with: with:
target-arch: arm64 target-arch: arm64
@ -33,6 +43,11 @@ jobs:
build-and-push-assets-s390x: build-and-push-assets-s390x:
needs: release needs: release
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/release-s390x.yaml uses: ./.github/workflows/release-s390x.yaml
with: with:
target-arch: s390x target-arch: s390x
@ -40,6 +55,9 @@ jobs:
build-and-push-assets-ppc64le: build-and-push-assets-ppc64le:
needs: release needs: release
permissions:
contents: read
packages: write
uses: ./.github/workflows/release-ppc64le.yaml uses: ./.github/workflows/release-ppc64le.yaml
with: with:
target-arch: ppc64le target-arch: ppc64le