From 14b7381281395520c9e3ff268e320d5cff9238ad Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Mon, 11 Aug 2025 15:23:05 -0700 Subject: [PATCH 1/3] Fix workflow permissions. The permissions at the top of the workflow file, apply to all jobs within the file. So, explictly set this to nothing. Then set give each job explicit permissions. --- .github/workflows/binary-build.yml | 3 +- .github/workflows/build-dev.yml | 9 +-- .github/workflows/build-main.yml | 9 +-- .github/workflows/build-preview.yml | 9 +-- .github/workflows/build.yml | 63 +++++++++++++++---- .github/workflows/docs-build.yml | 3 +- .github/workflows/fork-release-branch.yml | 4 +- .../imagecreator-tests-functional.yml | 3 +- .github/workflows/open-bump-version-pr.yml | 6 +- .github/workflows/publish-container.yml | 6 +- .github/workflows/publish-github-pages.yml | 1 + .github/workflows/publish-release.yml | 4 +- .github/workflows/release-minor-version.yml | 36 +++++++---- .github/workflows/release-patch-version.yml | 16 +++++ .github/workflows/release-preview-version.yml | 9 +++ .github/workflows/tests-functional.yml | 5 +- .../workflows/tests-vmtests-imagecreator.yml | 3 +- .github/workflows/tests-vmtests.yml | 5 +- 18 files changed, 128 insertions(+), 66 deletions(-) diff --git a/.github/workflows/binary-build.yml b/.github/workflows/binary-build.yml index a822ba82d..fd450a83d 100644 --- a/.github/workflows/binary-build.yml +++ b/.github/workflows/binary-build.yml @@ -3,8 +3,7 @@ name: Build binary and container for single arch -permissions: - contents: read +permissions: {} on: workflow_call: diff --git a/.github/workflows/build-dev.yml b/.github/workflows/build-dev.yml index ba8a01b17..6478b3a8d 100644 --- a/.github/workflows/build-dev.yml +++ b/.github/workflows/build-dev.yml @@ -3,10 +3,7 @@ name: Build (dev) -permissions: - contents: read - # Azure login. - id-token: write +permissions: {} on: pull_request: @@ -34,3 +31,7 @@ jobs: publishType: dev runFunctionalTests: ${{ inputs.runFunctionalTests || false }} runVMTests: ${{ inputs.runVMTests || false }} + permissions: + contents: read + # Azure login. + id-token: write diff --git a/.github/workflows/build-main.yml b/.github/workflows/build-main.yml index 471decaf8..4d22f2f4a 100644 --- a/.github/workflows/build-main.yml +++ b/.github/workflows/build-main.yml @@ -3,10 +3,7 @@ name: Build (main) -permissions: - contents: read - # Azure login. - id-token: write +permissions: {} on: push: @@ -16,6 +13,10 @@ on: jobs: build: uses: ./.github/workflows/build.yml + permissions: + contents: read + # Azure login. + id-token: write with: publishType: main runFunctionalTests: true diff --git a/.github/workflows/build-preview.yml b/.github/workflows/build-preview.yml index 51eecd804..f92d61584 100644 --- a/.github/workflows/build-preview.yml +++ b/.github/workflows/build-preview.yml @@ -3,10 +3,7 @@ name: Build (preview) -permissions: - contents: read - # Azure login. - id-token: write +permissions: {} on: push: @@ -16,6 +13,10 @@ on: jobs: build: uses: ./.github/workflows/build.yml + permissions: + contents: read + # Azure login. + id-token: write with: publishType: preview runFunctionalTests: true diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d33782125..1a0cf0b2b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,10 +3,7 @@ name: Build binary, container, and docs -permissions: - contents: read - # Azure login. - id-token: write +permissions: {} on: workflow_call: @@ -31,6 +28,8 @@ jobs: with: publishType: ${{ inputs.publishType }} arch: amd64 + permissions: + contents: read binary-build-arm64: name: Build ARM64 @@ -38,9 +37,13 @@ jobs: with: publishType: ${{ inputs.publishType }} arch: arm64 + permissions: + contents: read build-docs: uses: ./.github/workflows/docs-build.yml + permissions: + contents: read tests-functional-azl3-amd64: name: Functional tests AZL3 AMD64 @@ -49,14 +52,22 @@ jobs: with: hostArch: amd64 hostDistro: azl3 + permissions: + contents: read + # Azure login. + id-token: write tests-functional-azl3-arm64: - name: Functional tests AZL3 ARM64 - if: ${{ inputs.runFunctionalTests }} - uses: ./.github/workflows/tests-functional.yml - with: - hostArch: arm64 - hostDistro: azl3 + name: Functional tests AZL3 ARM64 + if: ${{ inputs.runFunctionalTests }} + uses: ./.github/workflows/tests-functional.yml + with: + hostArch: arm64 + hostDistro: azl3 + permissions: + contents: read + # Azure login. + id-token: write tests-functional-ubuntu2404-amd64: name: Functional tests Ubuntu24.04 AMD64 @@ -65,6 +76,10 @@ jobs: with: hostArch: amd64 hostDistro: ubuntu2404 + permissions: + contents: read + # Azure login. + id-token: write tests-functional-ubuntu2404-arm64: name: Functional tests Ubuntu24.04 ARM64 @@ -73,6 +88,10 @@ jobs: with: hostArch: arm64 hostDistro: ubuntu2404 + permissions: + contents: read + # Azure login. + id-token: write imagecreator-tests-functional-azl3-amd64: name: Functional tests AZL3 AMD64 @@ -81,6 +100,8 @@ jobs: with: hostArch: amd64 hostDistro: azl3 + permissions: + contents: read imagecreator-tests-functional-ubuntu2404-amd64: name: Functional tests Ubuntu24.04 AMD64 @@ -89,6 +110,8 @@ jobs: with: hostArch: amd64 hostDistro: ubuntu2404 + permissions: + contents: read tests-vmtests-azl3-amd64: name: VMTests suite AZL3 AMD64 @@ -98,6 +121,10 @@ jobs: with: hostArch: amd64 hostDistro: azl3 + permissions: + contents: read + # Azure login. + id-token: write tests-vmtests-ubuntu2404-amd64: name: VMTests suite Ubuntu24.04 AMD64 @@ -107,6 +134,10 @@ jobs: with: hostArch: amd64 hostDistro: ubuntu2404 + permissions: + contents: read + # Azure login. + id-token: write tests-vmtests-ubuntu2404-arm64: name: VMTests suite Ubuntu24.04 ARM64 @@ -116,6 +147,10 @@ jobs: with: hostArch: arm64 hostDistro: ubuntu2404 + permissions: + contents: read + # Azure login. + id-token: write tests-vmtests-imagecreator-azl3-amd64: name: VMTests suite image creator AZL3 AMD64 @@ -125,6 +160,8 @@ jobs: with: hostArch: amd64 hostDistro: azl3 + permissions: + contents: read tests-vmtests-imagecreator-ubuntu2404-amd64: name: VMTests suite image creator Ubuntu24.04 AMD64 @@ -133,7 +170,9 @@ jobs: uses: ./.github/workflows/tests-vmtests-imagecreator.yml with: hostArch: amd64 - hostDistro: ubuntu2404 + hostDistro: ubuntu2404 + permissions: + contents: read tests-vmtests-imagecreator-ubuntu2404-arm64: name: VMTests suite image creator Ubuntu24.04 ARM64 @@ -143,6 +182,8 @@ jobs: with: hostArch: arm64 hostDistro: ubuntu2404 + permissions: + contents: read tests-vmtests-osmodifier-azl3-amd64: name: VMTests suite osmodifier AZL3 AMD64 diff --git a/.github/workflows/docs-build.yml b/.github/workflows/docs-build.yml index 17c43c4e8..158fbcc2a 100644 --- a/.github/workflows/docs-build.yml +++ b/.github/workflows/docs-build.yml @@ -1,7 +1,6 @@ name: Build docs -permissions: - contents: read +permissions: {} on: workflow_call: {} diff --git a/.github/workflows/fork-release-branch.yml b/.github/workflows/fork-release-branch.yml index 406990da0..8de5873d1 100644 --- a/.github/workflows/fork-release-branch.yml +++ b/.github/workflows/fork-release-branch.yml @@ -3,9 +3,7 @@ name: Fork release branch -permissions: - # Create release branch. - contents: write +permissions: {} on: workflow_call: {} diff --git a/.github/workflows/imagecreator-tests-functional.yml b/.github/workflows/imagecreator-tests-functional.yml index 65b4054f1..1a8288704 100644 --- a/.github/workflows/imagecreator-tests-functional.yml +++ b/.github/workflows/imagecreator-tests-functional.yml @@ -3,8 +3,7 @@ name: Tests Image Creator functional -permissions: - contents: read +permissions: {} on: workflow_call: diff --git a/.github/workflows/open-bump-version-pr.yml b/.github/workflows/open-bump-version-pr.yml index 59f3b5457..a5f7588e1 100644 --- a/.github/workflows/open-bump-version-pr.yml +++ b/.github/workflows/open-bump-version-pr.yml @@ -3,11 +3,7 @@ name: Open bump version PR -permissions: - # Create release branch and publish release. - contents: write - # Publish PR. - #pull-requests: write +permissions: {} on: workflow_call: {} diff --git a/.github/workflows/publish-container.yml b/.github/workflows/publish-container.yml index ae114a831..135b3e4d3 100644 --- a/.github/workflows/publish-container.yml +++ b/.github/workflows/publish-container.yml @@ -1,10 +1,6 @@ name: Publish container to GHCR -permissions: - # "Keyless" container signing - id-token: write - # Publish to GHCR. - packages: write +permissions: {} on: workflow_call: {} diff --git a/.github/workflows/publish-github-pages.yml b/.github/workflows/publish-github-pages.yml index ed669e47a..91eaa0962 100644 --- a/.github/workflows/publish-github-pages.yml +++ b/.github/workflows/publish-github-pages.yml @@ -9,6 +9,7 @@ jobs: deploy: name: Publish GitHub pages permissions: + # GitHub pages publish. pages: write id-token: write environment: diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index 204d70615..ce6f12644 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -3,9 +3,7 @@ name: Publish release -permissions: - # Create release tag and publish release. - contents: write +permissions: {} on: workflow_call: diff --git a/.github/workflows/release-minor-version.yml b/.github/workflows/release-minor-version.yml index 6c70a8c76..0cff2501e 100644 --- a/.github/workflows/release-minor-version.yml +++ b/.github/workflows/release-minor-version.yml @@ -3,17 +3,7 @@ name: Release (major/minor) -permissions: - # Push release branch and publish release. - contents: write - # Publish to GHCR. - packages: write - # "Keyless" container signing, Azure login, GitHub pages publish. - id-token: write - # Publish PR. - #pull-requests: write - # GitHub pages publish. - pages: write +permissions: {} on: # Allow pipeline to be run manually. @@ -26,11 +16,20 @@ jobs: publishType: official runFunctionalTests: true runVMTests: true + permissions: + contents: read + # Azure login + id-token: write publish-container: uses: ./.github/workflows/publish-container.yml needs: - build + permissions: + # "Keyless" container signing + id-token: write + # Publish to GHCR. + packages: write publish-release: uses: ./.github/workflows/publish-release.yml @@ -38,18 +37,33 @@ jobs: isLatestRelease: true needs: - build + permissions: + # Create release tag and publish release. + contents: write fork-release-branch: uses: ./.github/workflows/fork-release-branch.yml needs: - build + permissions: + # Create release branch. + contents: write open-bump-version-pr: uses: ./.github/workflows/open-bump-version-pr.yml needs: - build + permissions: + # Create release branch and publish release. + contents: write + # Publish PR. + #pull-requests: write publish-github-pages: uses: ./.github/workflows/publish-github-pages.yml needs: - build + permissions: + # GitHub pages publish. + pages: write + id-token: write \ No newline at end of file diff --git a/.github/workflows/release-patch-version.yml b/.github/workflows/release-patch-version.yml index 69a319828..1a4cd4b03 100644 --- a/.github/workflows/release-patch-version.yml +++ b/.github/workflows/release-patch-version.yml @@ -24,11 +24,20 @@ jobs: publishType: patch runFunctionalTests: true runVMTests: true + permissions: + contents: read + # Azure login + id-token: write publish-container: uses: ./.github/workflows/publish-container.yml needs: - build + permissions: + # "Keyless" container signing + id-token: write + # Publish to GHCR. + packages: write publish-release: uses: ./.github/workflows/publish-release.yml @@ -36,9 +45,16 @@ jobs: isLatestRelease: ${{ needs.build.outputs.isLatestRelease }} needs: - build + permissions: + # Create release tag and publish release. + contents: write publish-github-pages: uses: ./.github/workflows/publish-github-pages.yml if: ${{ needs.build.outputs.isLatestRelease == 'true' }} needs: - build + permissions: + # GitHub pages publish. + pages: write + id-token: write \ No newline at end of file diff --git a/.github/workflows/release-preview-version.yml b/.github/workflows/release-preview-version.yml index 684c74155..5bd294ec7 100644 --- a/.github/workflows/release-preview-version.yml +++ b/.github/workflows/release-preview-version.yml @@ -21,8 +21,17 @@ jobs: publishType: preview runFunctionalTests: true runVMTests: true + permissions: + contents: read + # Azure login + id-token: write publish-container: uses: ./.github/workflows/publish-container.yml needs: - build + permissions: + # "Keyless" container signing + id-token: write + # Publish to GHCR. + packages: write \ No newline at end of file diff --git a/.github/workflows/tests-functional.yml b/.github/workflows/tests-functional.yml index 8f94d4657..4f33351b3 100644 --- a/.github/workflows/tests-functional.yml +++ b/.github/workflows/tests-functional.yml @@ -3,10 +3,7 @@ name: Tests functional -permissions: - contents: read - # Azure login. - id-token: write +permissions: {} on: workflow_call: diff --git a/.github/workflows/tests-vmtests-imagecreator.yml b/.github/workflows/tests-vmtests-imagecreator.yml index c0f081ac4..bec848c7d 100644 --- a/.github/workflows/tests-vmtests-imagecreator.yml +++ b/.github/workflows/tests-vmtests-imagecreator.yml @@ -3,8 +3,7 @@ name: Tests VMTests suite for Image Creator -permissions: - contents: read +permissions: {} on: workflow_call: diff --git a/.github/workflows/tests-vmtests.yml b/.github/workflows/tests-vmtests.yml index 1b42a0a59..2b8a8faef 100644 --- a/.github/workflows/tests-vmtests.yml +++ b/.github/workflows/tests-vmtests.yml @@ -3,10 +3,7 @@ name: Tests VMTests suite -permissions: - contents: read - # Azure login. - id-token: write +permissions: {} on: workflow_call: From c3ccaed9a87258b26b58425629e78d0cfa1a6789 Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Mon, 11 Aug 2025 17:09:16 -0700 Subject: [PATCH 2/3] Missed a couple of files --- .github/workflows/release-patch-version.yml | 10 +--------- .github/workflows/release-preview-version.yml | 9 ++------- 2 files changed, 3 insertions(+), 16 deletions(-) diff --git a/.github/workflows/release-patch-version.yml b/.github/workflows/release-patch-version.yml index 1a4cd4b03..2b863384b 100644 --- a/.github/workflows/release-patch-version.yml +++ b/.github/workflows/release-patch-version.yml @@ -3,15 +3,7 @@ name: Release (patch) -permissions: - # Push release branch and publish release. - contents: write - # Publish to GHCR. - packages: write - # "Keyless" container signing and Azure login. - id-token: write - # GitHub pages publish. - pages: write +permissions: {} on: # Allow pipeline to be run manually. diff --git a/.github/workflows/release-preview-version.yml b/.github/workflows/release-preview-version.yml index 5bd294ec7..ec2dbdaab 100644 --- a/.github/workflows/release-preview-version.yml +++ b/.github/workflows/release-preview-version.yml @@ -3,12 +3,7 @@ name: Release (preview) -permissions: - contents: read - # "Keyless" container signing and Azure login. - id-token: write - # Publish to GHCR. - packages: write +permissions: {} on: # Allow pipeline to be run manually. @@ -34,4 +29,4 @@ jobs: # "Keyless" container signing id-token: write # Publish to GHCR. - packages: write \ No newline at end of file + packages: write From d6919c775a81cd831b5e6ee1b0eebf9b28da9592 Mon Sep 17 00:00:00 2001 From: Chris Gunn Date: Thu, 14 Aug 2025 12:15:39 -0700 Subject: [PATCH 3/3] Fix osmodifier workflow permissions --- .github/workflows/build.yml | 12 ++++++++++++ .github/workflows/tests-vmtests-osmodifier.yml | 5 +---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1a0cf0b2b..fc6653da4 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -193,6 +193,10 @@ jobs: with: hostArch: amd64 hostDistro: azl3 + permissions: + contents: read + # Azure login. + id-token: write tests-vmtests-osmodifier-ubuntu2404-amd64: name: VMTests suite osmodifier Ubuntu24.04 AMD64 @@ -202,6 +206,10 @@ jobs: with: hostArch: amd64 hostDistro: ubuntu2404 + permissions: + contents: read + # Azure login. + id-token: write tests-vmtests-osmodifier-ubuntu2404-arm64: name: VMTests suite osmodifier Ubuntu24.04 ARM64 @@ -211,3 +219,7 @@ jobs: with: hostArch: arm64 hostDistro: ubuntu2404 + permissions: + contents: read + # Azure login. + id-token: write diff --git a/.github/workflows/tests-vmtests-osmodifier.yml b/.github/workflows/tests-vmtests-osmodifier.yml index 6abad181a..3ff5e8b59 100644 --- a/.github/workflows/tests-vmtests-osmodifier.yml +++ b/.github/workflows/tests-vmtests-osmodifier.yml @@ -3,10 +3,7 @@ name: Tests VMTests suite for OSModifier -permissions: - contents: read - # Azure login. - id-token: write +permissions: {} on: workflow_call: