From c34416f53a6d7fbff37240da59c45b7beca18c41 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 28 May 2025 12:03:14 +0100 Subject: [PATCH] workflows: Add explicit permissions where needed We have a number of jobs that either need,or nest workflows that need gh permissions, such as for pushing to ghcr, or doing attest build provenance. This means they need write permissions on things like `packages`, `id-token` and `attestations`, so we need to set these permissions at the job-level (along with `contents: read`), so they are not restricted by our safe defaults. Signed-off-by: stevenhorsman --- .../build-kata-static-tarball-amd64.yaml | 9 +++++ .../build-kata-static-tarball-arm64.yaml | 9 +++++ .../build-kata-static-tarball-ppc64le.yaml | 9 +++++ .../build-kata-static-tarball-s390x.yaml | 12 ++++++ .github/workflows/ci-weekly.yaml | 11 ++++++ .github/workflows/ci.yaml | 38 +++++++++++++++++++ .github/workflows/gatekeeper.yaml | 1 + .github/workflows/payload-after-push.yaml | 15 ++++++++ .../publish-kata-deploy-payload.yaml | 3 ++ .github/workflows/release-amd64.yaml | 3 ++ .github/workflows/release-arm64.yaml | 3 ++ .github/workflows/release-ppc64le.yaml | 3 ++ .github/workflows/release-s390x.yaml | 3 ++ 13 files changed, 119 insertions(+) diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml index 30891d22d..c9bf85f4b 100644 --- a/.github/workflows/build-kata-static-tarball-amd64.yaml +++ b/.github/workflows/build-kata-static-tarball-amd64.yaml @@ -153,6 +153,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04 needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -250,6 +253,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -307,6 +313,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04 needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 67faeed61..e11ef5a20 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -133,6 +133,9 @@ jobs: build-asset-rootfs: runs-on: ubuntu-22.04-arm needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -222,6 +225,9 @@ jobs: build-asset-shim-v2: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -277,6 +283,9 @@ jobs: create-kata-tarball: runs-on: ubuntu-22.04-arm needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/build-kata-static-tarball-ppc64le.yaml b/.github/workflows/build-kata-static-tarball-ppc64le.yaml index cb14c54ab..94f7db401 100644 --- a/.github/workflows/build-kata-static-tarball-ppc64le.yaml +++ b/.github/workflows/build-kata-static-tarball-ppc64le.yaml @@ -86,6 +86,9 @@ jobs: build-asset-rootfs: runs-on: ppc64le needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -161,6 +164,9 @@ jobs: build-asset-shim-v2: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -216,6 +222,9 @@ jobs: create-kata-tarball: runs-on: ppc64le needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] + permissions: + contents: read + packages: write steps: - name: Adjust a permission for repo run: | diff --git a/.github/workflows/build-kata-static-tarball-s390x.yaml b/.github/workflows/build-kata-static-tarball-s390x.yaml index 7bee8105d..847876a83 100644 --- a/.github/workflows/build-kata-static-tarball-s390x.yaml +++ b/.github/workflows/build-kata-static-tarball-s390x.yaml @@ -115,6 +115,9 @@ jobs: build-asset-rootfs: runs-on: s390x needs: build-asset + permissions: + contents: read + packages: write strategy: matrix: asset: @@ -178,6 +181,9 @@ jobs: build-asset-boot-image-se: runs-on: s390x needs: [build-asset, build-asset-rootfs] + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 @@ -238,6 +244,9 @@ jobs: build-asset-shim-v2: runs-on: s390x needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] + permissions: + contents: read + packages: write steps: - name: Login to Kata Containers quay.io if: ${{ inputs.push-to-registry == 'yes' }} @@ -299,6 +308,9 @@ jobs: - build-asset-rootfs - build-asset-boot-image-se - build-asset-shim-v2 + permissions: + contents: read + packages: write steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/ci-weekly.yaml b/.github/workflows/ci-weekly.yaml index 24d836153..addeb5a2e 100644 --- a/.github/workflows/ci-weekly.yaml +++ b/.github/workflows/ci-weekly.yaml @@ -21,6 +21,11 @@ permissions: jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -29,6 +34,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -42,6 +50,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4e4d73304..551ebe2f3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,6 +25,11 @@ permissions: jobs: build-kata-static-tarball-amd64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -33,6 +38,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -46,6 +54,11 @@ jobs: secrets: inherit build-kata-static-tarball-arm64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -54,6 +67,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -67,6 +83,11 @@ jobs: secrets: inherit build-kata-static-tarball-s390x: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -75,6 +96,9 @@ jobs: secrets: inherit build-kata-static-tarball-ppc64le: + permissions: + contents: read + packages: write uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -82,6 +106,11 @@ jobs: target-branch: ${{ inputs.target-branch }} build-kata-static-tarball-riscv64: + permissions: + contents: read + packages: write + id-token: write + attestations: write uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -91,6 +120,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -105,6 +137,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: tarball-suffix: -${{ inputs.tag }} @@ -118,6 +153,9 @@ jobs: secrets: inherit build-and-publish-tee-confidential-unencrypted-image: + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Checkout code diff --git a/.github/workflows/gatekeeper.yaml b/.github/workflows/gatekeeper.yaml index 687e81306..687f12aa9 100644 --- a/.github/workflows/gatekeeper.yaml +++ b/.github/workflows/gatekeeper.yaml @@ -26,6 +26,7 @@ jobs: actions: read contents: read issues: read + pull-requests: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/payload-after-push.yaml b/.github/workflows/payload-after-push.yaml index 1f455284d..beab04a9c 100644 --- a/.github/workflows/payload-after-push.yaml +++ b/.github/workflows/payload-after-push.yaml @@ -64,6 +64,9 @@ jobs: publish-kata-deploy-payload-amd64: needs: build-assets-amd64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -77,6 +80,9 @@ jobs: publish-kata-deploy-payload-arm64: needs: build-assets-arm64 + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -90,6 +96,9 @@ jobs: publish-kata-deploy-payload-s390x: needs: build-assets-s390x + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -103,6 +112,9 @@ jobs: publish-kata-deploy-payload-ppc64le: needs: build-assets-ppc64le + permissions: + contents: read + packages: write uses: ./.github/workflows/publish-kata-deploy-payload.yaml with: commit-hash: ${{ github.sha }} @@ -116,6 +128,9 @@ jobs: publish-manifest: runs-on: ubuntu-22.04 + permissions: + contents: read + packages: write needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le] steps: - name: Checkout repository diff --git a/.github/workflows/publish-kata-deploy-payload.yaml b/.github/workflows/publish-kata-deploy-payload.yaml index 37eba1bf2..f6298a531 100644 --- a/.github/workflows/publish-kata-deploy-payload.yaml +++ b/.github/workflows/publish-kata-deploy-payload.yaml @@ -36,6 +36,9 @@ permissions: jobs: kata-payload: + permissions: + contents: read + packages: write runs-on: ${{ inputs.runner }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/release-amd64.yaml b/.github/workflows/release-amd64.yaml index 40f8c2e58..847e2caee 100644 --- a/.github/workflows/release-amd64.yaml +++ b/.github/workflows/release-amd64.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-amd64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04 steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-arm64.yaml b/.github/workflows/release-arm64.yaml index 4a98dd682..bbe427192 100644 --- a/.github/workflows/release-arm64.yaml +++ b/.github/workflows/release-arm64.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-arm64 + permissions: + contents: read + packages: write runs-on: ubuntu-22.04-arm steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-ppc64le.yaml b/.github/workflows/release-ppc64le.yaml index 6a60db833..534371b32 100644 --- a/.github/workflows/release-ppc64le.yaml +++ b/.github/workflows/release-ppc64le.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-ppc64le + permissions: + contents: read + packages: write runs-on: ppc64le steps: - name: Login to Kata Containers docker.io diff --git a/.github/workflows/release-s390x.yaml b/.github/workflows/release-s390x.yaml index f47337d8e..684b227f4 100644 --- a/.github/workflows/release-s390x.yaml +++ b/.github/workflows/release-s390x.yaml @@ -19,6 +19,9 @@ jobs: kata-deploy: needs: build-kata-static-tarball-s390x + permissions: + contents: read + packages: write runs-on: s390x steps: - name: Login to Kata Containers docker.io