github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-22 09:49:35 +00:00
Code Issues Projects Releases Wiki Activity

workflows: Set top-level permissions to empty

Browse Source 
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2025-07-22 14:45:36 +01:00 committed by Steve Horsman
parent c4ec6972b6
commit 5a4ba6ad5c
48 changed files with 53 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/PR-wip-checks.yaml vendored
View File

@ -9,8 +9,7 @@ on:
- labeled
- unlabeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

4
.github/workflows/actionlint.yaml vendored
View File

@ -11,8 +11,8 @@ on:
paths:
- '.github/workflows/**'
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/basic-ci-amd64.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

3
.github/workflows/basic-ci-s390x.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

3
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@ -12,8 +12,7 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks preview riscv64
jobs:

4
.github/workflows/build-checks.yaml vendored
View File

@ -5,8 +5,8 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks
jobs:

3
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@ -26,8 +26,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: false
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@ -27,8 +27,7 @@ on:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/cargo-deny-runner.yaml vendored
View File

@ -11,8 +11,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
cargo-deny-runner:

3
.github/workflows/ci-coco-stability.yaml vendored
View File

@ -9,8 +9,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-devel.yaml vendored
View File

@ -2,8 +2,7 @@ name: Kata Containers CI (manually triggered)
on:
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@ -4,8 +4,7 @@ on:
name: Nightly CI for s390x
permissions:
contents: read
permissions: {}
jobs:
check-internal-test-result:

3
.github/workflows/ci-nightly.yaml vendored
View File

@ -7,8 +7,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-on-push.yaml vendored
View File

@ -13,8 +13,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/ci-weekly.yaml vendored
View File

@ -30,8 +30,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:

4
.github/workflows/codeql.yml vendored
View File

@ -19,8 +19,8 @@ on:
schedule:
- cron: '45 0 * * 1'
permissions:
contents: read
permissions: {}
jobs:
analyze:

3
.github/workflows/commit-message-check.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/darwin-tests.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/docs-url-alive-check.yaml vendored
View File

@ -2,8 +2,7 @@ on:
schedule:
- cron: '0 23 * * 0'
permissions:
contents: read
permissions: {}
name: Docs URL Alive Check
jobs:

3
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@ -31,8 +31,7 @@ on:
skip_static:
value: ${{ jobs.skipper.outputs.skip_static }}
permissions:
contents: read
permissions: {}
jobs:
skipper:

3
.github/workflows/gatekeeper.yaml vendored
View File

@ -12,8 +12,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

7
.github/workflows/govulncheck.yaml vendored
View File

@ -3,8 +3,7 @@ on:
name: Govulncheck
permissions:
contents: read
permissions: {}
jobs:
govulncheck:
@ -14,12 +13,12 @@ jobs:
include:
- binary: "kata-runtime"
make_target: "runtime"
- binary: "containerd-shim-kata-v2"
- binary: "containerd-shim-kata-v2"
make_target: "containerd-shim-v2"
- binary: "kata-monitor"
make_target: "monitor"
fail-fast: false
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

3
.github/workflows/kata-runtime-classes-sync.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/payload-after-push.yaml vendored
View File

@ -5,8 +5,7 @@ on:
- main
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@ -34,8 +34,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
kata-payload:

3
.github/workflows/release-amd64.yaml vendored
View File

@ -11,8 +11,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:

3
.github/workflows/release-arm64.yaml vendored
View File

@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-arm64:

3
.github/workflows/release-ppc64le.yaml vendored
View File

@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-ppc64le:

3
.github/workflows/release-s390x.yaml vendored
View File

@ -11,8 +11,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-s390x:

3
.github/workflows/release.yaml vendored
View File

@ -2,8 +2,7 @@ name: Release Kata Containers
on:
workflow_dispatch
permissions:
contents: read
permissions: {}
jobs:
release:

3
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@ -1,7 +1,6 @@
name: CI | Run cri-containerd tests
permissions:
contents: read
permissions: {}
on:
workflow_call:

3
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-amd64:

3
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-on-arm64:

3
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

3
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@ -25,8 +25,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

3
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-kata-deploy-tests:

3
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-monitor:

3
.github/workflows/run-metrics.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-metrics:

3
.github/workflows/run-runk-tests.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-runk:

3
.github/workflows/shellcheck.yaml vendored
View File

@ -10,8 +10,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/shellcheck_required.yaml vendored
View File

@ -11,8 +11,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/stale.yaml vendored
View File

@ -4,8 +4,7 @@ on:
- cron: '0 0 * * *'
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
stale:

3
.github/workflows/static-checks-self-hosted.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/static-checks.yaml vendored
View File

@ -7,8 +7,7 @@ on:
- synchronize
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/zizmor.yaml vendored
View File

@ -5,8 +5,7 @@ on:
branches: ["main"]
pull_request:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}