diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 30891d22d..c9bf85f4b 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -153,6 +153,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04 needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -250,6 +253,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -307,6 +313,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 67faeed61..e11ef5a20 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -133,6 +133,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04-arm needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -222,6 +225,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -277,6 +283,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index cb14c54ab..94f7db401 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -86,6 +86,9 @@ jobs: build-asset-rootfs: runs-on: ppc64le needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -161,6 +164,9 @@ jobs: build-asset-shim-v2: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -216,6 +222,9 @@ jobs: create-kata-tarball: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 7bee8105d..847876a83 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -115,6 +115,9 @@ jobs: build-asset-rootfs: runs-on: s390x needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -178,6 +181,9 @@ jobs: build-asset-boot-image-se: runs-on: s390x needs: [build-asset, build-asset-rootfs] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 @@ -238,6 +244,9 @@ jobs: build-asset-shim-v2: runs-on: s390x needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -299,6 +308,9 @@ jobs: - build-asset-rootfs - build-asset-boot-image-se - build-asset-shim-v2 + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index 24d836153..addeb5a2e 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -21,6 +21,11 @@ permissions: jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -29,6 +34,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -42,6 +50,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4e4d73304..551ebe2f3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,6 +25,11 @@ permissions: jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -33,6 +38,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -46,6 +54,11 @@ jobs: secrets: inherit build-kata-static-tarball-arm64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -54,6 +67,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -67,6 +83,11 @@ jobs: secrets: inherit build-kata-static-tarball-s390x: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -75,6 +96,9 @@ jobs: secrets: inherit build-kata-static-tarball-ppc64le: + permissions: + contents: read + packages: write uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -82,6 +106,11 @@ jobs: target-branch: ${{ inputs.target-branch }} build-kata-static-tarball-riscv64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -91,6 +120,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -105,6 +137,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -118,6 +153,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index 687e81306..687f12aa9 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -26,6 +26,7 @@ jobs: actions: read contents: read issues: read + pull-requests: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index 1f455284d..beab04a9c 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -64,6 +64,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-assets-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -77,6 +80,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-assets-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -90,6 +96,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-assets-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -103,6 +112,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-assets-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -116,6 +128,9 @@ jobs: publish-manifest: runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le] steps: - name: Checkout repository diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 37eba1bf2..f6298a531 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -36,6 +36,9 @@ permissions: jobs: kata-payload: + permissions: + contents: read + packages: write runs-on: ${{ inputs.runner }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 40f8c2e58..847e2caee 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index 4a98dd682..bbe427192 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04-arm steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 6a60db833..534371b32 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write runs-on: ppc64le steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index f47337d8e..684b227f4 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write runs-on: s390x steps: - name: Login to Kata Containers docker.io