github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-22 17:59:31 +00:00
Code Issues Projects Releases Wiki Activity

workflows: Set top-level permissions to empty

Browse Source 
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2025-07-22 14:45:36 +01:00 committed by Steve Horsman
parent c4ec6972b6
commit 5a4ba6ad5c
48 changed files with 53 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/PR-wip-checks.yaml vendored
View File

@ -9,8 +9,7 @@ on:
- labeled - labeled
- unlabeled - unlabeled
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

4
.github/workflows/actionlint.yaml vendored
View File

@ -11,8 +11,8 @@ on:
paths: paths:
- '.github/workflows/**' - '.github/workflows/**'
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/basic-ci-amd64.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-containerd-sandboxapi: run-containerd-sandboxapi:

3
.github/workflows/basic-ci-s390x.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-containerd-sandboxapi: run-containerd-sandboxapi:

3
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@ -12,8 +12,7 @@ on:
required: true required: true
type: string type: string
permissions: permissions: {}
contents: read
name: Build checks preview riscv64 name: Build checks preview riscv64
jobs: jobs:

4
.github/workflows/build-checks.yaml vendored
View File

@ -5,8 +5,8 @@ on:
required: true required: true
type: string type: string
permissions: permissions: {}
contents: read
name: Build checks name: Build checks
jobs: jobs:

3
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@ -26,8 +26,7 @@ on:
KBUILD_SIGN_PIN: KBUILD_SIGN_PIN:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-asset: build-asset:

3
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: false required: false
permissions: permissions: {}
contents: read
jobs: jobs:
build-asset: build-asset:

3
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-asset: build-asset:

3
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-asset: build-asset:

3
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@ -27,8 +27,7 @@ on:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-asset: build-asset:

3
.github/workflows/cargo-deny-runner.yaml vendored
View File

@ -11,8 +11,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
jobs: jobs:
cargo-deny-runner: cargo-deny-runner:

3
.github/workflows/ci-coco-stability.yaml vendored
View File

@ -9,8 +9,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:

3
.github/workflows/ci-devel.yaml vendored
View File

@ -2,8 +2,7 @@ name: Kata Containers CI (manually triggered)
on: on:
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:

3
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@ -4,8 +4,7 @@ on:
name: Nightly CI for s390x name: Nightly CI for s390x
permissions: permissions: {}
contents: read
jobs: jobs:
check-internal-test-result: check-internal-test-result:

3
.github/workflows/ci-nightly.yaml vendored
View File

@ -7,8 +7,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: permissions: {}
contents: read
jobs: jobs:
kata-containers-ci-on-push: kata-containers-ci-on-push:

3
.github/workflows/ci-on-push.yaml vendored
View File

@ -13,8 +13,7 @@ on:
- reopened - reopened
- labeled - labeled
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/ci-weekly.yaml vendored
View File

@ -30,8 +30,7 @@ on:
KBUILD_SIGN_PIN: KBUILD_SIGN_PIN:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:

4
.github/workflows/codeql.yml vendored
View File

@ -19,8 +19,8 @@ on:
schedule: schedule:
- cron: '45 0 * * 1' - cron: '45 0 * * 1'
permissions: permissions: {}
contents: read
jobs: jobs:
analyze: analyze:

3
.github/workflows/commit-message-check.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/darwin-tests.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/docs-url-alive-check.yaml vendored
View File

@ -2,8 +2,7 @@ on:
schedule: schedule:
- cron: '0 23 * * 0' - cron: '0 23 * * 0'
permissions: permissions: {}
contents: read
name: Docs URL Alive Check name: Docs URL Alive Check
jobs: jobs:

3
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@ -31,8 +31,7 @@ on:
skip_static: skip_static:
value: ${{ jobs.skipper.outputs.skip_static }} value: ${{ jobs.skipper.outputs.skip_static }}
permissions: permissions: {}
contents: read
jobs: jobs:
skipper: skipper:

3
.github/workflows/gatekeeper.yaml vendored
View File

@ -12,8 +12,7 @@ on:
- reopened - reopened
- labeled - labeled
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

7
.github/workflows/govulncheck.yaml vendored
View File

@ -3,8 +3,7 @@ on:
name: Govulncheck name: Govulncheck
permissions: permissions: {}
contents: read
jobs: jobs:
govulncheck: govulncheck:
@ -14,12 +13,12 @@ jobs:
include: include:
- binary: "kata-runtime" - binary: "kata-runtime"
make_target: "runtime" make_target: "runtime"
- binary: "containerd-shim-kata-v2" - binary: "containerd-shim-kata-v2"
make_target: "containerd-shim-v2" make_target: "containerd-shim-v2"
- binary: "kata-monitor" - binary: "kata-monitor"
make_target: "monitor" make_target: "monitor"
fail-fast: false fail-fast: false
steps: steps:
- name: Checkout the code - name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

3
.github/workflows/kata-runtime-classes-sync.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/payload-after-push.yaml vendored
View File

@ -5,8 +5,7 @@ on:
- main - main
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@ -34,8 +34,7 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
kata-payload: kata-payload:

3
.github/workflows/release-amd64.yaml vendored
View File

@ -11,8 +11,7 @@ on:
KBUILD_SIGN_PIN: KBUILD_SIGN_PIN:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:

3
.github/workflows/release-arm64.yaml vendored
View File

@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-kata-static-tarball-arm64: build-kata-static-tarball-arm64:

3
.github/workflows/release-ppc64le.yaml vendored
View File

@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-kata-static-tarball-ppc64le: build-kata-static-tarball-ppc64le:

3
.github/workflows/release-s390x.yaml vendored
View File

@ -11,8 +11,7 @@ on:
QUAY_DEPLOYER_PASSWORD: QUAY_DEPLOYER_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
build-kata-static-tarball-s390x: build-kata-static-tarball-s390x:

3
.github/workflows/release.yaml vendored
View File

@ -2,8 +2,7 @@ name: Release Kata Containers
on: on:
workflow_dispatch workflow_dispatch
permissions: permissions: {}
contents: read
jobs: jobs:
release: release:

3
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@ -1,7 +1,6 @@
name: CI | Run cri-containerd tests name: CI | Run cri-containerd tests
permissions: permissions: {}
contents: read
on: on:
workflow_call: workflow_call:

3
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-k8s-tests-amd64: run-k8s-tests-amd64:

3
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-k8s-tests-on-arm64: run-k8s-tests-on-arm64:

3
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-k8s-tests: run-k8s-tests:

3
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@ -25,8 +25,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD: AUTHENTICATED_IMAGE_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
jobs: jobs:
run-k8s-tests: run-k8s-tests:

3
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-kata-deploy-tests: run-kata-deploy-tests:

3
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-monitor: run-monitor:

3
.github/workflows/run-metrics.yaml vendored
View File

@ -22,8 +22,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-metrics: run-metrics:

3
.github/workflows/run-runk-tests.yaml vendored
View File

@ -13,8 +13,7 @@ on:
type: string type: string
default: "" default: ""
permissions: permissions: {}
contents: read
jobs: jobs:
run-runk: run-runk:

3
.github/workflows/shellcheck.yaml vendored
View File

@ -10,8 +10,7 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/shellcheck_required.yaml vendored
View File

@ -11,8 +11,7 @@ on:
- reopened - reopened
- synchronize - synchronize
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/stale.yaml vendored
View File

@ -4,8 +4,7 @@ on:
- cron: '0 0 * * *' - cron: '0 0 * * *'
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
jobs: jobs:
stale: stale:

3
.github/workflows/static-checks-self-hosted.yaml vendored
View File

@ -6,8 +6,7 @@ on:
- reopened - reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added - labeled # a workflow runs only when the 'ok-to-test' label is added
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/static-checks.yaml vendored
View File

@ -7,8 +7,7 @@ on:
- synchronize - synchronize
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/zizmor.yaml vendored
View File

@ -5,8 +5,7 @@ on:
branches: ["main"] branches: ["main"]
pull_request: pull_request:
permissions: permissions: {}
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}