diff --git a/.github/workflows/PR-wip-checks.yaml b/.github/workflows/PR-wip-checks.yaml index 3b13b31605..6de6f9b8f0 100644 --- a/.github/workflows/PR-wip-checks.yaml +++ b/.github/workflows/PR-wip-checks.yaml @@ -9,8 +9,7 @@ on: - labeled - unlabeled -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index e656193779..e83e763df6 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -11,8 +11,8 @@ on: paths: - '.github/workflows/**' -permissions: - contents: read +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/basic-ci-amd64.yaml b/.github/workflows/basic-ci-amd64.yaml index 05509dfba1..ad4b73416e 100644 --- a/.github/workflows/basic-ci-amd64.yaml +++ b/.github/workflows/basic-ci-amd64.yaml @@ -13,8 +13,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-containerd-sandboxapi: diff --git a/.github/workflows/basic-ci-s390x.yaml b/.github/workflows/basic-ci-s390x.yaml index 5b0e9a3301..c2e1ab1dc3 100644 --- a/.github/workflows/basic-ci-s390x.yaml +++ b/.github/workflows/basic-ci-s390x.yaml @@ -13,8 +13,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-containerd-sandboxapi: diff --git a/.github/workflows/build-checks-preview-riscv64.yaml b/.github/workflows/build-checks-preview-riscv64.yaml index 8a089ad7c6..6eaf5b933e 100644 --- a/.github/workflows/build-checks-preview-riscv64.yaml +++ b/.github/workflows/build-checks-preview-riscv64.yaml @@ -12,8 +12,7 @@ on: required: true type: string -permissions: - contents: read +permissions: {} name: Build checks preview riscv64 jobs: diff --git a/.github/workflows/build-checks.yaml b/.github/workflows/build-checks.yaml index 903bc7e914..143ad5a143 100644 --- a/.github/workflows/build-checks.yaml +++ b/.github/workflows/build-checks.yaml @@ -5,8 +5,8 @@ on: required: true type: string -permissions: - contents: read +permissions: {} + name: Build checks jobs: diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index ff75f488d7..8b139fd671 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -26,8 +26,7 @@ on: KBUILD_SIGN_PIN: required: true -permissions: - contents: read +permissions: {} jobs: build-asset: diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index fc9376c935..d0c4f77b5d 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -24,8 +24,7 @@ on: QUAY_DEPLOYER_PASSWORD: required: false -permissions: - contents: read +permissions: {} jobs: build-asset: diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index bfe1e9aa53..6e90e70421 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -24,8 +24,7 @@ on: QUAY_DEPLOYER_PASSWORD: required: true -permissions: - contents: read +permissions: {} jobs: build-asset: diff --git a/.github/workflows/build-kata-static-tarball-riscv64.yaml b/.github/workflows/build-kata-static-tarball-riscv64.yaml index bf5726d00b..925de07123 100644 --- a/.github/workflows/build-kata-static-tarball-riscv64.yaml +++ b/.github/workflows/build-kata-static-tarball-riscv64.yaml @@ -24,8 +24,7 @@ on: QUAY_DEPLOYER_PASSWORD: required: true -permissions: - contents: read +permissions: {} jobs: build-asset: diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index caa905f303..725649aace 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -27,8 +27,7 @@ on: required: true -permissions: - contents: read +permissions: {} jobs: build-asset: diff --git a/.github/workflows/cargo-deny-runner.yaml b/.github/workflows/cargo-deny-runner.yaml index 024eedd57c..1c86530cf4 100644 --- a/.github/workflows/cargo-deny-runner.yaml +++ b/.github/workflows/cargo-deny-runner.yaml @@ -11,8 +11,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: cargo-deny-runner: diff --git a/.github/workflows/ci-coco-stability.yaml b/.github/workflows/ci-coco-stability.yaml index accb9cf9d2..3a75d91349 100644 --- a/.github/workflows/ci-coco-stability.yaml +++ b/.github/workflows/ci-coco-stability.yaml @@ -9,8 +9,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: kata-containers-ci-on-push: diff --git a/.github/workflows/ci-devel.yaml b/.github/workflows/ci-devel.yaml index 96ad37d1e7..3fa673e641 100644 --- a/.github/workflows/ci-devel.yaml +++ b/.github/workflows/ci-devel.yaml @@ -2,8 +2,7 @@ name: Kata Containers CI (manually triggered) on: workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: kata-containers-ci-on-push: diff --git a/.github/workflows/ci-nightly-s390x.yaml b/.github/workflows/ci-nightly-s390x.yaml index ddf0434eab..8c7a2951eb 100644 --- a/.github/workflows/ci-nightly-s390x.yaml +++ b/.github/workflows/ci-nightly-s390x.yaml @@ -4,8 +4,7 @@ on: name: Nightly CI for s390x -permissions: - contents: read +permissions: {} jobs: check-internal-test-result: diff --git a/.github/workflows/ci-nightly.yaml b/.github/workflows/ci-nightly.yaml index 990d1a7c8f..5d335e3cff 100644 --- a/.github/workflows/ci-nightly.yaml +++ b/.github/workflows/ci-nightly.yaml @@ -7,8 +7,7 @@ concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true -permissions: - contents: read +permissions: {} jobs: kata-containers-ci-on-push: diff --git a/.github/workflows/ci-on-push.yaml b/.github/workflows/ci-on-push.yaml index 775d3ef983..f8e39085f4 100644 --- a/.github/workflows/ci-on-push.yaml +++ b/.github/workflows/ci-on-push.yaml @@ -13,8 +13,7 @@ on: - reopened - labeled -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index 4b14c6645f..79f7c27790 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -30,8 +30,7 @@ on: KBUILD_SIGN_PIN: required: true -permissions: - contents: read +permissions: {} jobs: build-kata-static-tarball-amd64: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ff41cf39d0..4730cc74d0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,8 +19,8 @@ on: schedule: - cron: '45 0 * * 1' -permissions: - contents: read +permissions: {} + jobs: analyze: diff --git a/.github/workflows/commit-message-check.yaml b/.github/workflows/commit-message-check.yaml index 2f55290d26..c8efcdcee4 100644 --- a/.github/workflows/commit-message-check.yaml +++ b/.github/workflows/commit-message-check.yaml @@ -6,8 +6,7 @@ on: - reopened - synchronize -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/darwin-tests.yaml b/.github/workflows/darwin-tests.yaml index c8aded16d4..eefbb72d07 100644 --- a/.github/workflows/darwin-tests.yaml +++ b/.github/workflows/darwin-tests.yaml @@ -6,8 +6,7 @@ on: - reopened - synchronize -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/docs-url-alive-check.yaml b/.github/workflows/docs-url-alive-check.yaml index 4d587a30d2..2aab3ee76d 100644 --- a/.github/workflows/docs-url-alive-check.yaml +++ b/.github/workflows/docs-url-alive-check.yaml @@ -2,8 +2,7 @@ on: schedule: - cron: '0 23 * * 0' -permissions: - contents: read +permissions: {} name: Docs URL Alive Check jobs: diff --git a/.github/workflows/gatekeeper-skipper.yaml b/.github/workflows/gatekeeper-skipper.yaml index 04d57a6359..39e23b77e1 100644 --- a/.github/workflows/gatekeeper-skipper.yaml +++ b/.github/workflows/gatekeeper-skipper.yaml @@ -31,8 +31,7 @@ on: skip_static: value: ${{ jobs.skipper.outputs.skip_static }} -permissions: - contents: read +permissions: {} jobs: skipper: diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index 02b7f69591..7a3379ebdc 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -12,8 +12,7 @@ on: - reopened - labeled -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/govulncheck.yaml b/.github/workflows/govulncheck.yaml index dda0158f1a..9281b55de5 100644 --- a/.github/workflows/govulncheck.yaml +++ b/.github/workflows/govulncheck.yaml @@ -3,8 +3,7 @@ on: name: Govulncheck -permissions: - contents: read +permissions: {} jobs: govulncheck: @@ -14,12 +13,12 @@ jobs: include: - binary: "kata-runtime" make_target: "runtime" - - binary: "containerd-shim-kata-v2" + - binary: "containerd-shim-kata-v2" make_target: "containerd-shim-v2" - binary: "kata-monitor" make_target: "monitor" fail-fast: false - + steps: - name: Checkout the code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 diff --git a/.github/workflows/kata-runtime-classes-sync.yaml b/.github/workflows/kata-runtime-classes-sync.yaml index b5ba220439..7a0db7af63 100644 --- a/.github/workflows/kata-runtime-classes-sync.yaml +++ b/.github/workflows/kata-runtime-classes-sync.yaml @@ -6,8 +6,7 @@ on: - reopened - synchronize -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index 566bcf14bd..4c93653602 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -5,8 +5,7 @@ on: - main workflow_dispatch: -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 22a4a82894..91370e7457 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -34,8 +34,7 @@ on: QUAY_DEPLOYER_PASSWORD: required: true -permissions: - contents: read +permissions: {} jobs: kata-payload: diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 129b8f3054..e071241e91 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -11,8 +11,7 @@ on: KBUILD_SIGN_PIN: required: true -permissions: - contents: read +permissions: {} jobs: build-kata-static-tarball-amd64: diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index aa8176a58b..ce10df280a 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -9,8 +9,7 @@ on: QUAY_DEPLOYER_PASSWORD: required: true -permissions: - contents: read +permissions: {} jobs: build-kata-static-tarball-arm64: diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index a179273b6f..08169f4e13 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -9,8 +9,7 @@ on: QUAY_DEPLOYER_PASSWORD: required: true -permissions: - contents: read +permissions: {} jobs: build-kata-static-tarball-ppc64le: diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index 4477bba40b..0715dbcb64 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -11,8 +11,7 @@ on: QUAY_DEPLOYER_PASSWORD: required: true -permissions: - contents: read +permissions: {} jobs: build-kata-static-tarball-s390x: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 48171cac7b..c6e445aa2c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -2,8 +2,7 @@ name: Release Kata Containers on: workflow_dispatch -permissions: - contents: read +permissions: {} jobs: release: diff --git a/.github/workflows/run-cri-containerd-tests.yaml b/.github/workflows/run-cri-containerd-tests.yaml index cd2a0cfffb..e1a5e5d520 100644 --- a/.github/workflows/run-cri-containerd-tests.yaml +++ b/.github/workflows/run-cri-containerd-tests.yaml @@ -1,7 +1,6 @@ name: CI | Run cri-containerd tests -permissions: - contents: read +permissions: {} on: workflow_call: diff --git a/.github/workflows/run-k8s-tests-on-amd64.yaml b/.github/workflows/run-k8s-tests-on-amd64.yaml index b438224c2f..6f4b981f9b 100644 --- a/.github/workflows/run-k8s-tests-on-amd64.yaml +++ b/.github/workflows/run-k8s-tests-on-amd64.yaml @@ -22,8 +22,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-k8s-tests-amd64: diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml index fad147a69e..22e4df9f8d 100644 --- a/.github/workflows/run-k8s-tests-on-arm64.yaml +++ b/.github/workflows/run-k8s-tests-on-arm64.yaml @@ -22,8 +22,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-k8s-tests-on-arm64: diff --git a/.github/workflows/run-k8s-tests-on-ppc64le.yaml b/.github/workflows/run-k8s-tests-on-ppc64le.yaml index a650abb0e7..d8532e9099 100644 --- a/.github/workflows/run-k8s-tests-on-ppc64le.yaml +++ b/.github/workflows/run-k8s-tests-on-ppc64le.yaml @@ -22,8 +22,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-k8s-tests: diff --git a/.github/workflows/run-k8s-tests-on-zvsi.yaml b/.github/workflows/run-k8s-tests-on-zvsi.yaml index b3d9b42650..65b1d3821a 100644 --- a/.github/workflows/run-k8s-tests-on-zvsi.yaml +++ b/.github/workflows/run-k8s-tests-on-zvsi.yaml @@ -25,8 +25,7 @@ on: AUTHENTICATED_IMAGE_PASSWORD: required: true -permissions: - contents: read +permissions: {} jobs: run-k8s-tests: diff --git a/.github/workflows/run-kata-deploy-tests.yaml b/.github/workflows/run-kata-deploy-tests.yaml index 9d05ff69cd..e793cbb422 100644 --- a/.github/workflows/run-kata-deploy-tests.yaml +++ b/.github/workflows/run-kata-deploy-tests.yaml @@ -22,8 +22,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-kata-deploy-tests: diff --git a/.github/workflows/run-kata-monitor-tests.yaml b/.github/workflows/run-kata-monitor-tests.yaml index 4f7d295750..e4dc377cca 100644 --- a/.github/workflows/run-kata-monitor-tests.yaml +++ b/.github/workflows/run-kata-monitor-tests.yaml @@ -13,8 +13,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-monitor: diff --git a/.github/workflows/run-metrics.yaml b/.github/workflows/run-metrics.yaml index 5f7e7841dc..5c6d3d2274 100644 --- a/.github/workflows/run-metrics.yaml +++ b/.github/workflows/run-metrics.yaml @@ -22,8 +22,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-metrics: diff --git a/.github/workflows/run-runk-tests.yaml b/.github/workflows/run-runk-tests.yaml index 5ec842aeae..17adf39349 100644 --- a/.github/workflows/run-runk-tests.yaml +++ b/.github/workflows/run-runk-tests.yaml @@ -13,8 +13,7 @@ on: type: string default: "" -permissions: - contents: read +permissions: {} jobs: run-runk: diff --git a/.github/workflows/shellcheck.yaml b/.github/workflows/shellcheck.yaml index 04c2d85a4c..d9ea97c5cc 100644 --- a/.github/workflows/shellcheck.yaml +++ b/.github/workflows/shellcheck.yaml @@ -10,8 +10,7 @@ on: - reopened - synchronize -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/shellcheck_required.yaml b/.github/workflows/shellcheck_required.yaml index 44e84a2700..35c1ee10f1 100644 --- a/.github/workflows/shellcheck_required.yaml +++ b/.github/workflows/shellcheck_required.yaml @@ -11,8 +11,7 @@ on: - reopened - synchronize -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index e0327ddda1..627920789e 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -4,8 +4,7 @@ on: - cron: '0 0 * * *' workflow_dispatch: -permissions: - contents: read +permissions: {} jobs: stale: diff --git a/.github/workflows/static-checks-self-hosted.yaml b/.github/workflows/static-checks-self-hosted.yaml index a1c47c8637..4f8df1be06 100644 --- a/.github/workflows/static-checks-self-hosted.yaml +++ b/.github/workflows/static-checks-self-hosted.yaml @@ -6,8 +6,7 @@ on: - reopened - labeled # a workflow runs only when the 'ok-to-test' label is added -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/static-checks.yaml b/.github/workflows/static-checks.yaml index 7ac0d810d5..3cdb1e14cf 100644 --- a/.github/workflows/static-checks.yaml +++ b/.github/workflows/static-checks.yaml @@ -7,8 +7,7 @@ on: - synchronize workflow_dispatch: -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index a260a22861..51db22058a 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -5,8 +5,7 @@ on: branches: ["main"] pull_request: -permissions: - contents: read +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}