github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-06 12:06:49 +00:00
Code Issues Projects Releases Wiki Activity

workflows: Add explicit permissions where needed

Browse Source 
We have a number of jobs that either need,or nest workflows
that need gh permissions, such as for pushing to ghcr,
or doing attest build provenance. This means they need write
permissions on things like `packages`, `id-token` and `attestations`,
so we need to set these permissions at the job-level
(along with `contents: read`), so they are not restricted by our
safe defaults.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2025-05-28 12:03:14 +01:00
parent 088e97075c
commit c34416f53a
13 changed files with 119 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/build-kata-static-tarball-amd64.yaml vendored
View File

@ -153,6 +153,9 @@ jobs:
build-asset-rootfs:
runs-on: ubuntu-22.04
needs: build-asset
permissions:
contents: read
packages: write
strategy:
matrix:
asset:
@ -250,6 +253,9 @@ jobs:
build-asset-shim-v2:
runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
permissions:
contents: read
packages: write
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@ -307,6 +313,9 @@ jobs:
create-kata-tarball:
runs-on: ubuntu-22.04
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
with:

9
.github/workflows/build-kata-static-tarball-arm64.yaml vendored
View File

@ -133,6 +133,9 @@ jobs:
build-asset-rootfs:
runs-on: ubuntu-22.04-arm
needs: build-asset
permissions:
contents: read
packages: write
strategy:
matrix:
asset:
@ -222,6 +225,9 @@ jobs:
build-asset-shim-v2:
runs-on: ubuntu-22.04-arm
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts, remove-rootfs-binary-artifacts-for-release]
permissions:
contents: read
packages: write
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@ -277,6 +283,9 @@ jobs:
create-kata-tarball:
runs-on: ubuntu-22.04-arm
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
with:

9
.github/workflows/build-kata-static-tarball-ppc64le.yaml vendored
View File

@ -86,6 +86,9 @@ jobs:
build-asset-rootfs:
runs-on: ppc64le
needs: build-asset
permissions:
contents: read
packages: write
strategy:
matrix:
asset:
@ -161,6 +164,9 @@ jobs:
build-asset-shim-v2:
runs-on: ppc64le
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions:
contents: read
packages: write
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@ -216,6 +222,9 @@ jobs:
create-kata-tarball:
runs-on: ppc64le
needs: [build-asset, build-asset-rootfs, build-asset-shim-v2]
permissions:
contents: read
packages: write
steps:
- name: Adjust a permission for repo
run: |

12
.github/workflows/build-kata-static-tarball-s390x.yaml vendored
View File

@ -115,6 +115,9 @@ jobs:
build-asset-rootfs:
runs-on: s390x
needs: build-asset
permissions:
contents: read
packages: write
strategy:
matrix:
asset:
@ -178,6 +181,9 @@ jobs:
build-asset-boot-image-se:
runs-on: s390x
needs: [build-asset, build-asset-rootfs]
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
@ -238,6 +244,9 @@ jobs:
build-asset-shim-v2:
runs-on: s390x
needs: [build-asset, build-asset-rootfs, remove-rootfs-binary-artifacts]
permissions:
contents: read
packages: write
steps:
- name: Login to Kata Containers quay.io
if: ${{ inputs.push-to-registry == 'yes' }}
@ -299,6 +308,9 @@ jobs:
- build-asset-rootfs
- build-asset-boot-image-se
- build-asset-shim-v2
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
with:

11
.github/workflows/ci-weekly.yaml vendored
View File

@ -21,6 +21,11 @@ permissions:
jobs:
build-kata-static-tarball-amd64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -29,6 +34,9 @@ jobs:
publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -42,6 +50,9 @@ jobs:
secrets: inherit
build-and-publish-tee-confidential-unencrypted-image:
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04
steps:
- name: Checkout code

38
.github/workflows/ci.yaml vendored
View File

@ -25,6 +25,11 @@ permissions:
jobs:
build-kata-static-tarball-amd64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -33,6 +38,9 @@ jobs:
publish-kata-deploy-payload-amd64:
needs: build-kata-static-tarball-amd64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -46,6 +54,11 @@ jobs:
secrets: inherit
build-kata-static-tarball-arm64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-arm64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -54,6 +67,9 @@ jobs:
publish-kata-deploy-payload-arm64:
needs: build-kata-static-tarball-arm64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -67,6 +83,11 @@ jobs:
secrets: inherit
build-kata-static-tarball-s390x:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -75,6 +96,9 @@ jobs:
secrets: inherit
build-kata-static-tarball-ppc64le:
permissions:
contents: read
packages: write
uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -82,6 +106,11 @@ jobs:
target-branch: ${{ inputs.target-branch }}
build-kata-static-tarball-riscv64:
permissions:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/build-kata-static-tarball-riscv64.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -91,6 +120,9 @@ jobs:
publish-kata-deploy-payload-s390x:
needs: build-kata-static-tarball-s390x
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -105,6 +137,9 @@ jobs:
publish-kata-deploy-payload-ppc64le:
needs: build-kata-static-tarball-ppc64le
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
tarball-suffix: -${{ inputs.tag }}
@ -118,6 +153,9 @@ jobs:
secrets: inherit
build-and-publish-tee-confidential-unencrypted-image:
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04
steps:
- name: Checkout code

1
.github/workflows/gatekeeper.yaml vendored
View File

@ -26,6 +26,7 @@ jobs:
actions: read
contents: read
issues: read
pull-requests: read
steps:
- uses: actions/checkout@v4
with:

15
.github/workflows/payload-after-push.yaml vendored
View File

@ -64,6 +64,9 @@ jobs:
publish-kata-deploy-payload-amd64:
needs: build-assets-amd64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
commit-hash: ${{ github.sha }}
@ -77,6 +80,9 @@ jobs:
publish-kata-deploy-payload-arm64:
needs: build-assets-arm64
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
commit-hash: ${{ github.sha }}
@ -90,6 +96,9 @@ jobs:
publish-kata-deploy-payload-s390x:
needs: build-assets-s390x
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
commit-hash: ${{ github.sha }}
@ -103,6 +112,9 @@ jobs:
publish-kata-deploy-payload-ppc64le:
needs: build-assets-ppc64le
permissions:
contents: read
packages: write
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
with:
commit-hash: ${{ github.sha }}
@ -116,6 +128,9 @@ jobs:
publish-manifest:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
steps:
- name: Checkout repository

3
.github/workflows/publish-kata-deploy-payload.yaml vendored
View File

@ -36,6 +36,9 @@ permissions:
jobs:
kata-payload:
permissions:
contents: read
packages: write
runs-on: ${{ inputs.runner }}
steps:
- uses: actions/checkout@v4

3
.github/workflows/release-amd64.yaml vendored
View File

@ -19,6 +19,9 @@ jobs:
kata-deploy:
needs: build-kata-static-tarball-amd64
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04
steps:
- name: Login to Kata Containers docker.io

3
.github/workflows/release-arm64.yaml vendored
View File

@ -19,6 +19,9 @@ jobs:
kata-deploy:
needs: build-kata-static-tarball-arm64
permissions:
contents: read
packages: write
runs-on: ubuntu-22.04-arm
steps:
- name: Login to Kata Containers docker.io

3
.github/workflows/release-ppc64le.yaml vendored
View File

@ -19,6 +19,9 @@ jobs:
kata-deploy:
needs: build-kata-static-tarball-ppc64le
permissions:
contents: read
packages: write
runs-on: ppc64le
steps:
- name: Login to Kata Containers docker.io

3
.github/workflows/release-s390x.yaml vendored
View File

@ -19,6 +19,9 @@ jobs:
kata-deploy:
needs: build-kata-static-tarball-s390x
permissions:
contents: read
packages: write
runs-on: s390x
steps:
- name: Login to Kata Containers docker.io