github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-23 10:12:10 +00:00
Code Issues Projects Releases Wiki Activity

workflows: Tighten up workflow permissions

Browse Source 
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman 2025-07-22 14:32:36 +01:00 committed by Steve Horsman
parent 407252a863
commit c4ec6972b6
7 changed files with 30 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.github/workflows/ci.yaml vendored
View File

@ -40,9 +40,7 @@ on:
KBUILD_SIGN_PIN: KBUILD_SIGN_PIN:
required: true required: true
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
build-kata-static-tarball-amd64: build-kata-static-tarball-amd64:
@ -292,6 +290,10 @@ jobs:
if: ${{ inputs.skip-test != 'yes' }} if: ${{ inputs.skip-test != 'yes' }}
needs: publish-kata-deploy-payload-amd64 needs: publish-kata-deploy-payload-amd64
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io registry: ghcr.io
@ -351,6 +353,9 @@ jobs:
- build-and-publish-tee-confidential-unencrypted-image - build-and-publish-tee-confidential-unencrypted-image
- publish-csi-driver-amd64 - publish-csi-driver-amd64
uses: ./.github/workflows/run-kata-coco-tests.yaml uses: ./.github/workflows/run-kata-coco-tests.yaml
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
with: with:
tarball-suffix: -${{ inputs.tag }} tarball-suffix: -${{ inputs.tag }}
registry: ghcr.io registry: ghcr.io

7
.github/workflows/cleanup-resources.yaml vendored
View File

@ -4,13 +4,14 @@ on:
- cron: "0 0 * * *" - cron: "0 0 * * *"
workflow_dispatch: workflow_dispatch:
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
cleanup-resources: cleanup-resources:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
environment: ci environment: ci
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

2
.github/workflows/osv-scanner.yaml vendored
View File

@ -15,6 +15,8 @@ on:
push: push:
branches: [ "main" ] branches: [ "main" ]
permissions: {}
jobs: jobs:
scan-scheduled: scan-scheduled:
permissions: permissions:

7
.github/workflows/run-k8s-tests-on-aks.yaml vendored
View File

@ -34,9 +34,7 @@ on:
required: true required: true
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
run-k8s-tests: run-k8s-tests:
@ -71,6 +69,9 @@ jobs:
instance-type: normal instance-type: normal
auto-generate-policy: yes auto-generate-policy: yes
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
environment: ci environment: ci
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}

7
.github/workflows/run-kata-coco-stability-tests.yaml vendored
View File

@ -35,9 +35,7 @@ on:
AUTHENTICATED_IMAGE_PASSWORD: AUTHENTICATED_IMAGE_PASSWORD:
required: true required: true
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
# Generate jobs for testing CoCo on non-TEE environments # Generate jobs for testing CoCo on non-TEE environments
@ -52,6 +50,9 @@ jobs:
pull-type: pull-type:
- guest-pull - guest-pull
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
environment: ci environment: ci
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}

7
.github/workflows/run-kata-coco-tests.yaml vendored
View File

@ -36,9 +36,7 @@ on:
ITA_KEY: ITA_KEY:
required: true required: true
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
run-k8s-tests-on-tdx: run-k8s-tests-on-tdx:
@ -223,6 +221,9 @@ jobs:
pull-type: pull-type:
- guest-pull - guest-pull
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
environment: ci environment: ci
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}

7
.github/workflows/run-kata-deploy-tests-on-aks.yaml vendored
View File

@ -29,9 +29,7 @@ on:
AZ_SUBSCRIPTION_ID: AZ_SUBSCRIPTION_ID:
required: true required: true
permissions: permissions: {}
contents: read
id-token: write
jobs: jobs:
run-kata-deploy-tests: run-kata-deploy-tests:
@ -50,6 +48,9 @@ jobs:
vmm: clh vmm: clh
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
environment: ci environment: ci
permissions:
contents: read
id-token: write # Used for OIDC access to log into Azure
env: env:
DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REGISTRY: ${{ inputs.registry }}
DOCKER_REPO: ${{ inputs.repo }} DOCKER_REPO: ${{ inputs.repo }}