github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-31 16:36:38 +00:00
Code Issues Projects Releases Wiki Activity

workflows: Set top-level permissions to empty

Browse Source 
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman
2025-08-22 14:09:24 +01:00
parent f79e453313
commit b4545da15d
48 changed files with 53 additions and 98 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/workflows/PR-wip-checks.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
- labeled
- unlabeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

4
.github/workflows/actionlint.yaml vendored
View File

@@ -11,8 +11,8 @@ on:
paths:
- '.github/workflows/**'
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/basic-ci-amd64.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

3
.github/workflows/basic-ci-s390x.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-containerd-sandboxapi:

3
.github/workflows/build-checks-preview-riscv64.yaml vendored
View File

@@ -12,8 +12,7 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks preview riscv64
jobs:

4
.github/workflows/build-checks.yaml vendored
View File

@@ -5,8 +5,8 @@ on:
required: true
type: string
permissions:
contents: read
permissions: {}
name: Build checks
jobs:

3
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@@ -26,8 +26,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: false
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-riscv64.yaml vendored
View File

@@ -24,8 +24,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@@ -27,8 +27,7 @@ on:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-asset:

3
.github/workflows/cargo-deny-runner.yaml vendored
View File

@@ -11,8 +11,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
cargo-deny-runner:

3
.github/workflows/ci-coco-stability.yaml vendored
View File

@@ -9,8 +9,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-devel.yaml vendored
View File

@@ -2,8 +2,7 @@ name: Kata Containers CI (manually triggered)
on:
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-nightly-s390x.yaml vendored
View File

@@ -4,8 +4,7 @@ on:
name: Nightly CI for s390x
permissions:
contents: read
permissions: {}
jobs:
check-internal-test-result:

3
.github/workflows/ci-nightly.yaml vendored
View File

@@ -7,8 +7,7 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
permissions: {}
jobs:
kata-containers-ci-on-push:

3
.github/workflows/ci-on-push.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/ci-weekly.yaml vendored
View File

@@ -30,8 +30,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:

4
.github/workflows/codeql.yml vendored
View File

@@ -19,8 +19,8 @@ on:
schedule:
- cron: '45 0 * * 1'
permissions:
contents: read
permissions: {}
jobs:
analyze:

3
.github/workflows/commit-message-check.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/darwin-tests.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/docs-url-alive-check.yaml vendored
View File

@@ -2,8 +2,7 @@ on:
schedule:
- cron: '0 23 * * 0'
permissions:
contents: read
permissions: {}
name: Docs URL Alive Check
jobs:

3
.github/workflows/gatekeeper-skipper.yaml vendored
View File

@@ -31,8 +31,7 @@ on:
skip_static:
value: ${{ jobs.skipper.outputs.skip_static }}
permissions:
contents: read
permissions: {}
jobs:
skipper:

3
.github/workflows/gatekeeper.yaml vendored
View File

@@ -12,8 +12,7 @@ on:
- reopened
- labeled
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

7
.github/workflows/govulncheck.yaml vendored
View File

@@ -3,8 +3,7 @@ on:
name: Govulncheck
permissions:
contents: read
permissions: {}
jobs:
govulncheck:
@@ -14,12 +13,12 @@ jobs:
include:
- binary: "kata-runtime"
make_target: "runtime"
- binary: "containerd-shim-kata-v2"
- binary: "containerd-shim-kata-v2"
make_target: "containerd-shim-v2"
- binary: "kata-monitor"
make_target: "monitor"
fail-fast: false
steps:
- name: Checkout the code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

3
.github/workflows/kata-runtime-classes-sync.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/payload-after-push.yaml vendored
View File

@@ -5,8 +5,7 @@ on:
- main
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@@ -34,8 +34,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
kata-payload:

3
.github/workflows/release-amd64.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
KBUILD_SIGN_PIN:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-amd64:

3
.github/workflows/release-arm64.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-arm64:

3
.github/workflows/release-ppc64le.yaml vendored
View File

@@ -9,8 +9,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-ppc64le:

3
.github/workflows/release-s390x.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
QUAY_DEPLOYER_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
build-kata-static-tarball-s390x:

3
.github/workflows/release.yaml vendored
View File

@@ -2,8 +2,7 @@ name: Release Kata Containers
on:
workflow_dispatch
permissions:
contents: read
permissions: {}
jobs:
release:

3
.github/workflows/run-cri-containerd-tests.yaml vendored
View File

@@ -1,7 +1,6 @@
name: CI | Run cri-containerd tests
permissions:
contents: read
permissions: {}
on:
workflow_call:

3
.github/workflows/run-k8s-tests-on-amd64.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-amd64:

3
.github/workflows/run-k8s-tests-on-arm64.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests-on-arm64:

3
.github/workflows/run-k8s-tests-on-ppc64le.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

3
.github/workflows/run-k8s-tests-on-zvsi.yaml vendored
View File

@@ -25,8 +25,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD:
required: true
permissions:
contents: read
permissions: {}
jobs:
run-k8s-tests:

3
.github/workflows/run-kata-deploy-tests.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-kata-deploy-tests:

3
.github/workflows/run-kata-monitor-tests.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-monitor:

3
.github/workflows/run-metrics.yaml vendored
View File

@@ -22,8 +22,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-metrics:

3
.github/workflows/run-runk-tests.yaml vendored
View File

@@ -13,8 +13,7 @@ on:
type: string
default: ""
permissions:
contents: read
permissions: {}
jobs:
run-runk:

3
.github/workflows/shellcheck.yaml vendored
View File

@@ -10,8 +10,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/shellcheck_required.yaml vendored
View File

@@ -11,8 +11,7 @@ on:
- reopened
- synchronize
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/stale.yaml vendored
View File

@@ -4,8 +4,7 @@ on:
- cron: '0 0 * * *'
workflow_dispatch:
permissions:
contents: read
permissions: {}
jobs:
stale:

3
.github/workflows/static-checks-self-hosted.yaml vendored
View File

@@ -6,8 +6,7 @@ on:
- reopened
- labeled # a workflow runs only when the 'ok-to-test' label is added
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/static-checks.yaml vendored
View File

@@ -7,8 +7,7 @@ on:
- synchronize
workflow_dispatch:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}

3
.github/workflows/zizmor.yaml vendored
View File

@@ -5,8 +5,7 @@ on:
branches: ["main"]
pull_request:
permissions:
contents: read
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}