workflows: Add explicit permissions where needed

We have a number of jobs that either need,or nest workflows
that need gh permissions, such as for pushing to ghcr,
or doing attest build provenance. This means they need write
permissions on things like `packages`, `id-token` and `attestations`,
so we need to set these permissions at the job-level
(along with `contents: read`), so they are not restricted by our
safe defaults.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2025-05-28 12:03:14 +01:00
parent 088e97075c
commit c34416f53a
13 changed files with 119 additions and 0 deletions

View File

@ -153,6 +153,9 @@ jobs:
build-asset-rootfs: build-asset-rootfs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: build-asset needs: build-asset
permissions:
contents: read
packages: write
strategy: strategy:
matrix: matrix:
asset: asset:
@ -250,6 +253,9 @@ jobs:
build-asset-shim-v2: build-asset-shim-v2:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
permissions:
contents: read
packages: write
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }} if: ${{ inputs.push-to-registry == 'yes' }}
@ -307,6 +313,9 @@ jobs:
create-kata-tarball: create-kata-tarball:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

View File

@ -133,6 +133,9 @@ jobs:
build-asset-rootfs: build-asset-rootfs:
runs-on: ubuntu-22.04-arm runs-on: ubuntu-22.04-arm
needs: build-asset needs: build-asset
permissions:
contents: read
packages: write
strategy: strategy:
matrix: matrix:
asset: asset:
@ -222,6 +225,9 @@ jobs:
build-asset-shim-v2: build-asset-shim-v2:
runs-on: ubuntu-22.04-arm runs-on: ubuntu-22.04-arm
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
permissions:
contents: read
packages: write
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }} if: ${{ inputs.push-to-registry == 'yes' }}
@ -277,6 +283,9 @@ jobs:
create-kata-tarball: create-kata-tarball:
runs-on: ubuntu-22.04-arm runs-on: ubuntu-22.04-arm
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

View File

@ -86,6 +86,9 @@ jobs:
build-asset-rootfs: build-asset-rootfs:
runs-on: ppc64le runs-on: ppc64le
needs: build-asset needs: build-asset
permissions:
contents: read
packages: write
strategy: strategy:
matrix: matrix:
asset: asset:
@ -161,6 +164,9 @@ jobs:
build-asset-shim-v2: build-asset-shim-v2:
runs-on: ppc64le runs-on: ppc64le
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions:
contents: read
packages: write
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }} if: ${{ inputs.push-to-registry == 'yes' }}
@ -216,6 +222,9 @@ jobs:
create-kata-tarball: create-kata-tarball:
runs-on: ppc64le runs-on: ppc64le
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2] needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions:
contents: read
packages: write
steps: steps:
- name: Adjust a permission for repo - name: Adjust a permission for repo
run: | run: |

View File

@ -115,6 +115,9 @@ jobs:
build-asset-rootfs: build-asset-rootfs:
runs-on: s390x runs-on: s390x
needs: build-asset needs: build-asset
permissions:
contents: read
packages: write
strategy: strategy:
matrix: matrix:
asset: asset:
@ -178,6 +181,9 @@ jobs:
build-asset-boot-image-se: build-asset-boot-image-se:
runs-on: s390x runs-on: s390x
needs: [build-asset, build-asset-rootfs] needs: [build-asset, build-asset-rootfs]
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@ -238,6 +244,9 @@ jobs:
build-asset-shim-v2: build-asset-shim-v2:
runs-on: s390x runs-on: s390x
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts] needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions:
contents: read
packages: write
steps: steps:
- name: Login to Kata Containers quay.io - name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }} if: ${{ inputs.push-to-registry == 'yes' }}
@ -299,6 +308,9 @@ jobs:
- build-asset-rootfs - build-asset-rootfs
- build-asset-boot-image-se - build-asset-boot-image-se
- build-asset-shim-v2 - build-asset-shim-v2
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

View File

@ -21,6 +21,11 @@ permissions:
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -29,6 +34,9 @@ jobs:
publish-kata-deploy-payload-amd64: publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -42,6 +50,9 @@ jobs:
secrets: inherit secrets: inherit
build-and-publish-tee-confidential-unencrypted-image: build-and-publish-tee-confidential-unencrypted-image:
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout code - name: Checkout code

View File

@ -25,6 +25,11 @@ permissions:
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -33,6 +38,9 @@ jobs:
publish-kata-deploy-payload-amd64: publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -46,6 +54,11 @@ jobs:
secrets: inherit secrets: inherit
build-kata-static-tarball-arm64: build-kata-static-tarball-arm64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -54,6 +67,9 @@ jobs:
publish-kata-deploy-payload-arm64: publish-kata-deploy-payload-arm64:
needs: build-kata-static-tarball-arm64 needs: build-kata-static-tarball-arm64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -67,6 +83,11 @@ jobs:
secrets: inherit secrets: inherit
build-kata-static-tarball-s390x: build-kata-static-tarball-s390x:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -75,6 +96,9 @@ jobs:
secrets: inherit secrets: inherit
build-kata-static-tarball-ppc64le: build-kata-static-tarball-ppc64le:
permissions:
contents: read
packages: write
uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -82,6 +106,11 @@ jobs:
target-branch: ${{ inputs.target-branch }} target-branch: ${{ inputs.target-branch }}
build-kata-static-tarball-riscv64: build-kata-static-tarball-riscv64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -91,6 +120,9 @@ jobs:
publish-kata-deploy-payload-s390x: publish-kata-deploy-payload-s390x:
needs: build-kata-static-tarball-s390x needs: build-kata-static-tarball-s390x
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -105,6 +137,9 @@ jobs:
publish-kata-deploy-payload-ppc64le: publish-kata-deploy-payload-ppc64le:
needs: build-kata-static-tarball-ppc64le needs: build-kata-static-tarball-ppc64le
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
@ -118,6 +153,9 @@ jobs:
secrets: inherit secrets: inherit
build-and-publish-tee-confidential-unencrypted-image: build-and-publish-tee-confidential-unencrypted-image:
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Checkout code - name: Checkout code

View File

@ -26,6 +26,7 @@ jobs:
actions: read actions: read
contents: read contents: read
issues: read issues: read
pull-requests: read
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:

View File

@ -64,6 +64,9 @@ jobs:
publish-kata-deploy-payload-amd64: publish-kata-deploy-payload-amd64:
needs: build-assets-amd64 needs: build-assets-amd64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}
@ -77,6 +80,9 @@ jobs:
publish-kata-deploy-payload-arm64: publish-kata-deploy-payload-arm64:
needs: build-assets-arm64 needs: build-assets-arm64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}
@ -90,6 +96,9 @@ jobs:
publish-kata-deploy-payload-s390x: publish-kata-deploy-payload-s390x:
needs: build-assets-s390x needs: build-assets-s390x
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}
@ -103,6 +112,9 @@ jobs:
publish-kata-deploy-payload-ppc64le: publish-kata-deploy-payload-ppc64le:
needs: build-assets-ppc64le needs: build-assets-ppc64le
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with: with:
commit-hash: ${{ github.sha }} commit-hash: ${{ github.sha }}
@ -116,6 +128,9 @@ jobs:
publish-manifest: publish-manifest:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le] needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
steps: steps:
- name: Checkout repository - name: Checkout repository

View File

@ -36,6 +36,9 @@ permissions:
jobs: jobs:
kata-payload: kata-payload:
permissions:
contents: read
packages: write
runs-on: ${{ inputs.runner }} runs-on: ${{ inputs.runner }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

View File

@ -19,6 +19,9 @@ jobs:
kata-deploy: kata-deploy:
needs: build-kata-static-tarball-amd64 needs: build-kata-static-tarball-amd64
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- name: Login to Kata Containers docker.io - name: Login to Kata Containers docker.io

View File

@ -19,6 +19,9 @@ jobs:
kata-deploy: kata-deploy:
needs: build-kata-static-tarball-arm64 needs: build-kata-static-tarball-arm64
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04-arm runs-on: ubuntu-22.04-arm
steps: steps:
- name: Login to Kata Containers docker.io - name: Login to Kata Containers docker.io

View File

@ -19,6 +19,9 @@ jobs:
kata-deploy: kata-deploy:
needs: build-kata-static-tarball-ppc64le needs: build-kata-static-tarball-ppc64le
permissions:
contents: read
packages: write
runs-on: ppc64le runs-on: ppc64le
steps: steps:
- name: Login to Kata Containers docker.io - name: Login to Kata Containers docker.io

View File

@ -19,6 +19,9 @@ jobs:
kata-deploy: kata-deploy:
needs: build-kata-static-tarball-s390x needs: build-kata-static-tarball-s390x
permissions:
contents: read
packages: write
runs-on: s390x runs-on: s390x
steps: steps:
- name: Login to Kata Containers docker.io - name: Login to Kata Containers docker.io