Merge pull request #5123 from zhzhuang-zju/miniumPermissions

karmada-bot · web-flow · commit cc7b9ac2eb89 · 2024-07-03T12:16:57.000+08:00
set Minimum GITHUB_TOKEN permissions to github workflow
diff --git a/.github/workflows/dockerhub-latest-image.yml b/.github/workflows/dockerhub-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
diff --git a/.github/workflows/dockerhub-released-chart.yml b/.github/workflows/dockerhub-released-chart.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-chart-to-dockerhub:
     name: publish to DockerHub
diff --git a/.github/workflows/dockerhub-released-image.yml b/.github/workflows/dockerhub-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,8 +3,12 @@ on:
     types:
     - published
 name: Build Release
+permissions:
+  contents: read
 jobs:
   release-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release kubectl-karmada
     runs-on: ubuntu-22.04
     strategy:
@@ -41,6 +45,8 @@ jobs:
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256
   release-crds-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release crds
     runs-on: ubuntu-22.04
     steps:
@@ -61,6 +67,8 @@ jobs:
         files: |
           crds.tar.gz
   release-charts:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release charts
     runs-on: ubuntu-22.04
     steps:
@@ -79,6 +87,8 @@ jobs:
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256
   sbom-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release sbom
     runs-on: ubuntu-22.04
     steps:
diff --git a/.github/workflows/swr-latest-image.yml b/.github/workflows/swr-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image:
     name: publish images
diff --git a/.github/workflows/swr-released-image.yml b/.github/workflows/swr-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   release-image:
     name: release images
