From a9e8cb2508af72bf95d48ef3d32d4bb8b2292778 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Minier?= Date: Mon, 26 May 2025 12:22:17 +0200 Subject: [PATCH 1/5] workflows: LAVA schema check: Typo MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Loïc Minier --- .github/workflows/lava-schema-check.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lava-schema-check.yml b/.github/workflows/lava-schema-check.yml index b731a422..c1b66f00 100644 --- a/.github/workflows/lava-schema-check.yml +++ b/.github/workflows/lava-schema-check.yml @@ -1,4 +1,4 @@ -name: Chech LAVA templates +name: Check LAVA templates on: workflow_call: From ce82da559d612a9db0e9bf4da3860a5e9473f91f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Minier?= Date: Tue, 27 May 2025 12:31:37 +0200 Subject: [PATCH 2/5] workflows: LAVA schema check: Add permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Loïc Minier --- .github/workflows/lava-schema-check.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/lava-schema-check.yml b/.github/workflows/lava-schema-check.yml index c1b66f00..17c20410 100644 --- a/.github/workflows/lava-schema-check.yml +++ b/.github/workflows/lava-schema-check.yml @@ -3,6 +3,10 @@ name: Check LAVA templates on: workflow_call: +# implicitely set all other permissions to none +permissions: + contents: read # actions/checkout + jobs: schema-check: runs-on: ubuntu-latest From 390b69616e87af2426c022c4ce1703b36606ff10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Minier?= Date: Mon, 26 May 2025 12:04:28 +0200 Subject: [PATCH 3/5] workflows: test: Set permissions at workflow level MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Permissions in job are probably cleaner, but since we're mainly including this workflow from others, it's easier to find the intended permissions in this way. Plus other workflows currently also manage their permissions at the workflow rather than job level. Also update permissions to more complete list. Signed-off-by: Loïc Minier --- .github/workflows/test.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 341bf19d..94831d57 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,6 +7,12 @@ on: required: true type: string +permissions: + checks: write # EnricoMi/publish-unit-test-result-action + pull-requests: write # EnricoMi/publish-unit-test-result-action + contents: read # actions/checkout + packages: read # actions/download-artifact + jobs: prepare-job-list: runs-on: ubuntu-latest @@ -74,9 +80,6 @@ jobs: name: "Publish Tests Results" needs: submit-job runs-on: ubuntu-latest - permissions: - checks: write - pull-requests: write steps: - name: Download Artifacts From ab9dc55a691f04e9bc33930f29891189fd76d905 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Minier?= Date: Mon, 26 May 2025 12:21:33 +0200 Subject: [PATCH 4/5] workflows: Order and comments for permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Loïc Minier --- .github/workflows/build-daily.yml | 3 ++- .github/workflows/build-on-pr.yml | 9 +++++---- .github/workflows/build-on-push.yml | 9 +++++---- .github/workflows/debos.yml | 5 ++--- .github/workflows/linux.yml | 5 ++--- .github/workflows/static-checks.yml | 5 ++--- .github/workflows/test-pr.yml | 11 +++++++---- .github/workflows/test.yml | 9 +++++---- .github/workflows/u-boot.yml | 5 ++--- 9 files changed, 32 insertions(+), 29 deletions(-) diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml index adca71fb..912d3891 100644 --- a/.github/workflows/build-daily.yml +++ b/.github/workflows/build-daily.yml @@ -7,8 +7,9 @@ on: # allow manual runs workflow_dispatch: +# implicitely set all other permissions to none permissions: - contents: read + contents: read # debos.yml jobs: build-daily: diff --git a/.github/workflows/build-on-pr.yml b/.github/workflows/build-on-pr.yml index 3e05dfb9..830f14b8 100644 --- a/.github/workflows/build-on-pr.yml +++ b/.github/workflows/build-on-pr.yml @@ -3,11 +3,12 @@ name: Build on PR on: pull_request: +# implicitely set all other permissions to none permissions: - checks: write # required by test reporting action - pull-requests: write # required by test reporting action - contents: read # github default - packages: read # github default + checks: write # test.yml + contents: read # debos.yml lava-schema-check.yml test.yml + packages: read # test.yml + pull-requests: write # test.yml jobs: event-file: diff --git a/.github/workflows/build-on-push.yml b/.github/workflows/build-on-push.yml index 5e6b395b..8cbedc2e 100644 --- a/.github/workflows/build-on-push.yml +++ b/.github/workflows/build-on-push.yml @@ -4,11 +4,12 @@ on: push: branches: [main] +# implicitely set all other permissions to none permissions: - checks: write - pull-requests: write - contents: read - packages: read + checks: write # test.yml + contents: read # debos.yml lava-schema-check.yml test.yml + packages: read # test.yml + pull-requests: write # test.yml jobs: build-daily: diff --git a/.github/workflows/debos.yml b/.github/workflows/debos.yml index a651d723..442689e5 100644 --- a/.github/workflows/debos.yml +++ b/.github/workflows/debos.yml @@ -7,10 +7,9 @@ on: description: "URL to retrieve build artifacts" value: ${{ jobs.build-debos.outputs.url }} -# only need permission to read repository; implicitely set all other -# permissions to none +# implicitely set all other permissions to none permissions: - contents: read + contents: read # actions/checkout # cancel in progress builds for this workflow triggered by the same ref concurrency: diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index aaeb98d0..39b54ccc 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -7,10 +7,9 @@ on: # allow manual runs workflow_dispatch: -# only need permission to read repository; implicitely set all other -# permissions to none +# implicitely set all other permissions to none permissions: - contents: read + contents: read # actions/checkout env: # where results will be posted/hosted diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml index ea9e47c3..9ef69d28 100644 --- a/.github/workflows/static-checks.yml +++ b/.github/workflows/static-checks.yml @@ -8,10 +8,9 @@ on: push: branches: [main] -# only need permission to read repository; implicitely set all other -# permissions to none +# implicitely set all other permissions to none permissions: - contents: read + contents: read # actions/checkout # cancel in progress builds for this workflow triggered by the same ref concurrency: diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml index 029eca12..1eb9a32d 100644 --- a/.github/workflows/test-pr.yml +++ b/.github/workflows/test-pr.yml @@ -8,11 +8,14 @@ on: types: - completed +# implicitely set all other permissions to none permissions: - checks: write # required by test reporting action - pull-requests: write # required by test reporting action - contents: read # github default - packages: read # github default + checks: write # test.yml EnricoMi/publish-unit-test-result-action + contents: read # test.yml actions/checkout + packages: read # test.yml actions/download-artifact + # test.yml EnricoMi/publish-unit-test-result-action + # thollander/actions-comment-pull-request + pull-requests: write jobs: retrieve-build-url: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 94831d57..8969db09 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,11 +7,12 @@ on: required: true type: string +# implicitely set all other permissions to none permissions: - checks: write # EnricoMi/publish-unit-test-result-action - pull-requests: write # EnricoMi/publish-unit-test-result-action - contents: read # actions/checkout - packages: read # actions/download-artifact + checks: write # EnricoMi/publish-unit-test-result-action + contents: read # actions/checkout + packages: read # actions/download-artifact + pull-requests: write # EnricoMi/publish-unit-test-result-action jobs: prepare-job-list: diff --git a/.github/workflows/u-boot.yml b/.github/workflows/u-boot.yml index 647922c5..449af40c 100644 --- a/.github/workflows/u-boot.yml +++ b/.github/workflows/u-boot.yml @@ -7,10 +7,9 @@ on: # allow manual runs workflow_dispatch: -# only need permission to read repository; implicitely set all other -# permissions to none +# implicitely set all other permissions to none permissions: - contents: read + contents: read # actions/checkout env: # where results will be posted/hosted From bcdc3319b099cdad3bcb9d477d209d5673c064a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lo=C3=AFc=20Minier?= Date: Mon, 26 May 2025 12:32:31 +0200 Subject: [PATCH 5/5] workflows: Fix missing deps for test.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Loïc Minier --- .github/workflows/build-daily.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-daily.yml b/.github/workflows/build-daily.yml index 912d3891..0374e0e8 100644 --- a/.github/workflows/build-daily.yml +++ b/.github/workflows/build-daily.yml @@ -9,7 +9,10 @@ on: # implicitely set all other permissions to none permissions: - contents: read # debos.yml + checks: write # test.yml + contents: read # debos.yml test.yml + packages: read # test.yml + pull-requests: write # test.yml jobs: build-daily: