From a44fd206d3169b3612734c5c999d22628252ba6a Mon Sep 17 00:00:00 2001 From: "@zimeg" Date: Mon, 21 Apr 2025 11:12:02 -0700 Subject: [PATCH 1/4] ci: set minimum amount of permission needed for each workflow --- .github/workflows/delete-pr-build-on-close.yml | 2 ++ .github/workflows/dependencies.yml | 2 ++ .github/workflows/e2e_tests.yml | 2 ++ .github/workflows/license_check.yml | 2 ++ .github/workflows/sync-docs-from-cli-repo.yml | 3 ++- .github/workflows/tests.yml | 4 ++++ 6 files changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/delete-pr-build-on-close.yml b/.github/workflows/delete-pr-build-on-close.yml index 2feec9b9..ce4944e3 100644 --- a/.github/workflows/delete-pr-build-on-close.yml +++ b/.github/workflows/delete-pr-build-on-close.yml @@ -21,6 +21,8 @@ jobs: delete-pre-release: name: Delete pre-release if exists runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Delete pre-release and tag named after branch env: diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml index e5a3685e..331228c1 100644 --- a/.github/workflows/dependencies.yml +++ b/.github/workflows/dependencies.yml @@ -7,6 +7,8 @@ jobs: golang: name: Bump the Golang version runs-on: ubuntu-latest + permissions: + contents: none # Permissions are set with an application token steps: - name: Gather credentials id: credentials diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml index 6dbf2854..21216dad 100644 --- a/.github/workflows/e2e_tests.yml +++ b/.github/workflows/e2e_tests.yml @@ -17,6 +17,8 @@ jobs: execute: name: Start tests runs-on: ubuntu-latest + permissions: + contents: none steps: - name: Trigger CircleCI 'local' workflow if: ${{ github.event.inputs.status == 'false' }} diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml index 77c5004f..31cb4b62 100644 --- a/.github/workflows/license_check.yml +++ b/.github/workflows/license_check.yml @@ -10,6 +10,8 @@ jobs: check-headers: name: Check that license headers are in place runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v4.2.2 with: diff --git a/.github/workflows/sync-docs-from-cli-repo.yml b/.github/workflows/sync-docs-from-cli-repo.yml index 5c9dff6d..099e7438 100644 --- a/.github/workflows/sync-docs-from-cli-repo.yml +++ b/.github/workflows/sync-docs-from-cli-repo.yml @@ -17,7 +17,8 @@ jobs: config-sync: name: Sync docs to docs site repo runs-on: ubuntu-latest - + permissions: + contents: read steps: - name: Generate a GitHub token id: ghtoken diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index bac256ab..a5edce16 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -15,6 +15,8 @@ jobs: lint-test: name: Lints and Unit tests runs-on: macos-latest + permissions: + contents: read steps: - uses: actions/checkout@v4.2.2 with: @@ -49,6 +51,8 @@ jobs: health-score: needs: lint-test runs-on: macos-latest + permissions: + checks: write steps: - uses: actions/checkout@v4.2.2 - name: Set up Go From 6591d1f7bcad9cd982941deee6d9a1e9173e2b81 Mon Sep 17 00:00:00 2001 From: "@zimeg" Date: Mon, 21 Apr 2025 11:15:51 -0700 Subject: [PATCH 2/4] temp: create a new file without a license header --- CHANGELOG.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 CHANGELOG.txt diff --git a/CHANGELOG.txt b/CHANGELOG.txt new file mode 100644 index 00000000..90f934d7 --- /dev/null +++ b/CHANGELOG.txt @@ -0,0 +1,3 @@ +changelog - a log of changes + +1. commit this file for testing a license workflow From 75a98b894d1946ceaee6f4e8b3e27a683b85e339 Mon Sep 17 00:00:00 2001 From: "@zimeg" Date: Mon, 21 Apr 2025 11:27:17 -0700 Subject: [PATCH 3/4] revert: remove file used to check that permissions were alright --- CHANGELOG.txt | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 CHANGELOG.txt diff --git a/CHANGELOG.txt b/CHANGELOG.txt deleted file mode 100644 index 90f934d7..00000000 --- a/CHANGELOG.txt +++ /dev/null @@ -1,3 +0,0 @@ -changelog - a log of changes - -1. commit this file for testing a license workflow From ac0f4bf71f9b150396030d1d83e67393842b0068 Mon Sep 17 00:00:00 2001 From: "@zimeg" Date: Mon, 21 Apr 2025 11:28:20 -0700 Subject: [PATCH 4/4] ci: include the read contents permission for public repositories as fallback --- .github/workflows/tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index a5edce16..cba3ab5c 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -53,6 +53,7 @@ jobs: runs-on: macos-latest permissions: checks: write + contents: read steps: - uses: actions/checkout@v4.2.2 - name: Set up Go