github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-16 14:28:35 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #11614 from kata-containers/workflow-permissions-tightening

Browse Source 
Workflow permissions tightening
This commit is contained in:
Aurélien Bombo
2025-08-28 10:56:03 -05:00
committed by GitHub
parent 08d2ba1969 b4545da15d
commit 754f07cff2
55 changed files with 80 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/PR-wip-checks.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
- labeled
- unlabeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

4
.github/workflows/actionlint.yaml vendored
View File

@@ -11,8 +11,8 @@ on:
paths:
- '.github/workflows/**'
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/basic-ci-amd64.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

3
.github/workflows/basic-ci-s390x.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

3
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@@ -12,8 +12,7 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks preview riscv64
jobs:

4
.github/workflows/build-checks.yaml vendored
View File

@@ -5,8 +5,8 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks
jobs:

3
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -26,8 +26,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: false
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -27,8 +27,7 @@ on:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/cargo-deny-runner.yaml vendored
View File

@@ -11,8 +11,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
cargo-deny-runner:

3
.github/workflows/ci-coco-stability.yaml vendored
View File

@@ -9,8 +9,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-devel.yaml vendored
View File

@@ -2,8 +2,7 @@ name: Kata Containers CI (manually triggered)
on:
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@@ -4,8 +4,7 @@ on:
name: Nightly CI for s390x
permissions:
contents: read
permissions: {}
jobs:
check-internal-test-result:

3
.github/workflows/ci-nightly.yaml vendored
View File

@@ -7,8 +7,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-on-push.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/ci-weekly.yaml vendored
View File

@@ -30,8 +30,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:

11
.github/workflows/ci.yaml vendored
View File

@@ -40,9 +40,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
build-kata-static-tarball-amd64:
@@ -292,6 +290,10 @@ jobs:
if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io
@@ -351,6 +353,9 @@ jobs:
- build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64
uses: ./.github/workflows/run-kata-coco-tests.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with:
tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io

6
.github/workflows/cleanup-resources.yaml vendored
View File

@@ -4,13 +4,13 @@ on:
- cron: "0 0 * * *"
workflow_dispatch:
permissions:
contents: read
id-token: write
permissions: {}
jobs:
cleanup-resources:
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

4
.github/workflows/codeql.yml vendored
View File

@@ -19,8 +19,8 @@ on:
schedule:
- cron: '45 0 * * 1'
permissions:
contents: read
permissions: {}
jobs:
analyze:

3
.github/workflows/commit-message-check.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/darwin-tests.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/docs-url-alive-check.yaml vendored
View File

@@ -2,8 +2,7 @@ on:
schedule:
- cron: '0 23 * * 0'
permissions:
contents: read
permissions: {}
name: Docs URL Alive Check
jobs:

3
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@@ -31,8 +31,7 @@ on:
skip_static:
value: ${{ jobs.skipper.outputs.skip_static }}
permissions:
contents: read
permissions: {}
jobs:
skipper:

3
.github/workflows/gatekeeper.yaml vendored
View File

@@ -12,8 +12,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

7
.github/workflows/govulncheck.yaml vendored
View File

@@ -3,8 +3,7 @@ on:
name: Govulncheck
permissions:
contents: read
permissions: {}
jobs:
govulncheck:
@@ -14,12 +13,12 @@ jobs:
include:
- binary: "kata-runtime"
make_target: "runtime"
- binary: "containerd-shim-kata-v2"
- binary: "containerd-shim-kata-v2"
make_target: "containerd-shim-v2"
- binary: "kata-monitor"
make_target: "monitor"
fail-fast: false
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

3
.github/workflows/kata-runtime-classes-sync.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

2
.github/workflows/osv-scanner.yaml vendored
View File

@@ -15,6 +15,8 @@ on:
push:
branches: [ "main" ]
permissions: {}
jobs:
scan-scheduled:
permissions:

3
.github/workflows/payload-after-push.yaml vendored
View File

@@ -5,8 +5,7 @@ on:
- main
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@@ -34,8 +34,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
kata-payload:

3
.github/workflows/release-amd64.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:

3
.github/workflows/release-arm64.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-arm64:

3
.github/workflows/release-ppc64le.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-ppc64le:

3
.github/workflows/release-s390x.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-s390x:

3
.github/workflows/release.yaml vendored
View File

@@ -2,8 +2,7 @@ name: Release Kata Containers
on:
workflow_dispatch
permissions:
contents: read
permissions: {}
jobs:
release:

3
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@@ -1,7 +1,6 @@
name: CI | Run cri-containerd tests
permissions:
contents: read
permissions: {}
on:
workflow_call:

7
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@@ -34,9 +34,7 @@ on:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-k8s-tests:
@@ -71,6 +69,9 @@ jobs:
instance-type: normal
auto-generate-policy: yes
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}

3
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-amd64:

3
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-on-arm64:

3
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

3
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@@ -25,8 +25,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

7
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@@ -35,9 +35,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
# Generate jobs for testing CoCo on non-TEE environments
@@ -52,6 +50,9 @@ jobs:
pull-type:
- guest-pull
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}

6
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@@ -36,9 +36,7 @@ on:
ITA_KEY:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-k8s-tests-on-tdx:
@@ -223,6 +221,8 @@ jobs:
pull-type:
- guest-pull
runs-on: ubuntu-22.04
permissions:
id-token: write # Used for OIDC access to log into Azure
environment: ci
env:
DOCKER_REGISTRY: ${{ inputs.registry }}

6
.github/workflows/run-kata-deploy-tests-on-aks.yaml vendored
View File

@@ -29,9 +29,7 @@ on:
AZ_SUBSCRIPTION_ID:
required: true
permissions:
contents: read
id-token: write
permissions: {}
jobs:
run-kata-deploy-tests:
@@ -50,6 +48,8 @@ jobs:
vmm: clh
runs-on: ubuntu-22.04
environment: ci
permissions:
id-token: write # Used for OIDC access to log into Azure
env:
DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }}

3
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-kata-deploy-tests:

3
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-monitor:

3
.github/workflows/run-metrics.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-metrics:

3
.github/workflows/run-runk-tests.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-runk:

3
.github/workflows/shellcheck.yaml vendored
View File

@@ -10,8 +10,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/shellcheck_required.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/stale.yaml vendored
View File

@@ -4,8 +4,7 @@ on:
- cron: '0 0 * * *'
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
stale:

3
.github/workflows/static-checks-self-hosted.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/static-checks.yaml vendored
View File

@@ -7,8 +7,7 @@ on:
- synchronize
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/zizmor.yaml vendored
View File

@@ -5,8 +5,7 @@ on:
branches: ["main"]
pull_request:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}