Files
kata-containers/.github/workflows/ci-devel.yaml
stevenhorsman 926a633cbd ci: add explanatory comments to workflow permissions
In 7afdfc7388 we
just disabled the undocumented-permissions zizmor warning,
but now with AI we can roll this fix more easily, so remove
the disabling of the rule and add the comments

Generated-By: IBM Bob
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-07-01 11:43:21 +01:00

49 lines
1.5 KiB
YAML

name: Kata Containers CI (manually triggered)
on:
workflow_dispatch:
inputs:
tee-test-scope:
description: "TEE test scope: small runs only attestation + policy tests, full runs everything"
required: false
type: choice
options:
- small
- full
default: small
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-devel
cancel-in-progress: true
permissions: {}
jobs:
kata-containers-ci-on-push:
permissions:
contents: read
packages: write # needed to push build artifacts to ghcr.io
id-token: write # needed to sign images and generate attestations
attestations: write # needed to generate artifact attestations
uses: ./.github/workflows/ci.yaml
with:
commit-hash: ${{ github.sha }}
pr-number: "dev"
tag: ${{ github.sha }}-dev
target-branch: ${{ github.ref_name }}
extensive-matrix-autogenerated-policy: "yes"
tee-test-scope: ${{ inputs.tee-test-scope || 'small' }}
secrets:
AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
AZ_APPID: ${{ secrets.AZ_APPID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
build-checks:
uses: ./.github/workflows/build-checks.yaml
with:
instance: ubuntu-22.04