From 482e22531ec4d3d6c0aa097d77ae227d597f6b42 Mon Sep 17 00:00:00 2001 From: Stephen Lang Date: Mon, 28 Apr 2025 17:12:11 +0100 Subject: [PATCH 1/2] ci: check action permissions --- .github/workflows/check-with-upstream.yaml | 15 ++++++++++----- .github/workflows/ci.yaml | 1 + 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/.github/workflows/check-with-upstream.yaml b/.github/workflows/check-with-upstream.yaml index 46585e294..53ffa36ff 100644 --- a/.github/workflows/check-with-upstream.yaml +++ b/.github/workflows/check-with-upstream.yaml @@ -1,14 +1,19 @@ name: check-with-upstream # Run every Monday. on: + push: + branches: + - main + pull_request: schedule: - - cron: '0 0 * * 1' + - cron: "0 0 * * 1" jobs: check-selectors-ksm: runs-on: ubuntu-latest name: Check if KSM selectors are present on applicable metrics. steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - with: - persist-credentials: false - - run: make --always-make check-selectors-ksm + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + - run: make --always-make check-selectors-ksm diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c72ffe8b2..e2bbc37cb 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -32,6 +32,7 @@ jobs: run: make --always-make test steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false From 76e70ce3af5e8b5158190b8305daa2f3b0bc3a85 Mon Sep 17 00:00:00 2001 From: Stephen Lang Date: Mon, 28 Apr 2025 17:34:43 +0100 Subject: [PATCH 2/2] ci: try minimal permissions --- .github/workflows/check-with-upstream.yaml | 6 +----- .github/workflows/ci.yaml | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/check-with-upstream.yaml b/.github/workflows/check-with-upstream.yaml index 53ffa36ff..83eabfa82 100644 --- a/.github/workflows/check-with-upstream.yaml +++ b/.github/workflows/check-with-upstream.yaml @@ -1,10 +1,7 @@ name: check-with-upstream +permissions: {} # Run every Monday. on: - push: - branches: - - main - pull_request: schedule: - cron: "0 0 * * 1" jobs: @@ -12,7 +9,6 @@ jobs: runs-on: ubuntu-latest name: Check if KSM selectors are present on applicable metrics. steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e2bbc37cb..2ecca959d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -1,4 +1,5 @@ name: ci +permissions: {} on: push: branches: @@ -32,7 +33,6 @@ jobs: run: make --always-make test steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false