From e41a1b132dd2c1164c442af5880c46fb95a223fe Mon Sep 17 00:00:00 2001 From: "Akihiko (Aki) Kuroda" <16141898+akihikokuroda@users.noreply.github.com> Date: Mon, 5 Aug 2024 13:07:44 -0400 Subject: [PATCH] set token permissions for workflows (#1436) * token permisstions for workflows --- .github/workflows/build-containers-test.yaml | 3 +++ .github/workflows/client-pypi-release.yaml | 2 ++ .github/workflows/client-verify.yaml | 3 +++ .github/workflows/docs-verify.yaml | 3 +++ .github/workflows/gateway-verify.yaml | 3 +++ .github/workflows/helm-verify.yaml | 3 +++ .github/workflows/icr-image-build-and-push.yaml | 3 +++ .github/workflows/kubernetes-deploy.yaml | 3 +++ .github/workflows/notebook-local-verify.yaml | 3 +++ .github/workflows/proxy-verify.yaml | 3 +++ .github/workflows/publish-docs.yaml | 5 +++++ .github/workflows/publish-helm.yaml | 3 +++ .github/workflows/release-drafter.yml | 3 +++ .github/workflows/update-component-versions.yaml | 3 +++ 14 files changed, 43 insertions(+) diff --git a/.github/workflows/build-containers-test.yaml b/.github/workflows/build-containers-test.yaml index 8d289d2ac..3c20639c0 100644 --- a/.github/workflows/build-containers-test.yaml +++ b/.github/workflows/build-containers-test.yaml @@ -3,6 +3,9 @@ name: Build the containers on: pull_request: +permissions: + contents: read + defaults: run: shell: bash diff --git a/.github/workflows/client-pypi-release.yaml b/.github/workflows/client-pypi-release.yaml index a151ec3dc..ada322b26 100644 --- a/.github/workflows/client-pypi-release.yaml +++ b/.github/workflows/client-pypi-release.yaml @@ -5,6 +5,8 @@ on: release: types: [published] +permissions: + contents: read jobs: release-package: diff --git a/.github/workflows/client-verify.yaml b/.github/workflows/client-verify.yaml index 005f1805b..601d194d1 100644 --- a/.github/workflows/client-verify.yaml +++ b/.github/workflows/client-verify.yaml @@ -3,6 +3,9 @@ name: Client verify process on: pull_request: +permissions: + contents: read + jobs: verify-client: name: lint, test diff --git a/.github/workflows/docs-verify.yaml b/.github/workflows/docs-verify.yaml index ec3b23141..437902603 100644 --- a/.github/workflows/docs-verify.yaml +++ b/.github/workflows/docs-verify.yaml @@ -3,6 +3,9 @@ name: Verify building sphinx docs on: pull_request: +permissions: + contents: read + jobs: verify_docs_build: runs-on: ubuntu-latest diff --git a/.github/workflows/gateway-verify.yaml b/.github/workflows/gateway-verify.yaml index 7d87ca31f..5c9153128 100644 --- a/.github/workflows/gateway-verify.yaml +++ b/.github/workflows/gateway-verify.yaml @@ -3,6 +3,9 @@ name: Gateway verify process on: pull_request: +permissions: + contents: read + jobs: verify-gateway: name: lint, test, coverage diff --git a/.github/workflows/helm-verify.yaml b/.github/workflows/helm-verify.yaml index ccb69cdd6..2e4d54763 100644 --- a/.github/workflows/helm-verify.yaml +++ b/.github/workflows/helm-verify.yaml @@ -8,6 +8,9 @@ on: - ".github/actions/helm-lint/action.yaml" - ".github/workflows/helm-verify.yaml" +permissions: + contents: read + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/icr-image-build-and-push.yaml b/.github/workflows/icr-image-build-and-push.yaml index 1deac86a7..ed4566be8 100644 --- a/.github/workflows/icr-image-build-and-push.yaml +++ b/.github/workflows/icr-image-build-and-push.yaml @@ -9,6 +9,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: icr_build_and_push: runs-on: ubuntu-latest diff --git a/.github/workflows/kubernetes-deploy.yaml b/.github/workflows/kubernetes-deploy.yaml index 85d205e0d..14f40fada 100644 --- a/.github/workflows/kubernetes-deploy.yaml +++ b/.github/workflows/kubernetes-deploy.yaml @@ -4,6 +4,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: tests: runs-on: ubuntu-latest diff --git a/.github/workflows/notebook-local-verify.yaml b/.github/workflows/notebook-local-verify.yaml index a1a8f3070..9b65636d4 100644 --- a/.github/workflows/notebook-local-verify.yaml +++ b/.github/workflows/notebook-local-verify.yaml @@ -4,6 +4,9 @@ on: pull_request: branches: [ main ] +permissions: + contents: read + jobs: tests: runs-on: ubuntu-latest diff --git a/.github/workflows/proxy-verify.yaml b/.github/workflows/proxy-verify.yaml index f89e14be3..e36069e28 100644 --- a/.github/workflows/proxy-verify.yaml +++ b/.github/workflows/proxy-verify.yaml @@ -3,6 +3,9 @@ name: Proxy verify process on: pull_request: +permissions: + contents: read + jobs: verify-proxy: name: lint, test diff --git a/.github/workflows/publish-docs.yaml b/.github/workflows/publish-docs.yaml index 36df8e582..364c5e58a 100644 --- a/.github/workflows/publish-docs.yaml +++ b/.github/workflows/publish-docs.yaml @@ -6,9 +6,14 @@ on: branches: - main +permissions: + contents: read + jobs: build_and_deploy_docs: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 diff --git a/.github/workflows/publish-helm.yaml b/.github/workflows/publish-helm.yaml index 9fe578a8d..ca1ef556c 100644 --- a/.github/workflows/publish-helm.yaml +++ b/.github/workflows/publish-helm.yaml @@ -4,6 +4,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: package: runs-on: ubuntu-latest diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 896edaf4a..f43ec86b6 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -5,6 +5,9 @@ on: branches: - main +permissions: + contents: read + jobs: update_release_draft: runs-on: ubuntu-latest diff --git a/.github/workflows/update-component-versions.yaml b/.github/workflows/update-component-versions.yaml index 3232cc950..0eedb35a0 100644 --- a/.github/workflows/update-component-versions.yaml +++ b/.github/workflows/update-component-versions.yaml @@ -7,6 +7,9 @@ on: description: 'version to update to ("x.y.z" -- do not include a `v` prefix)' required: true +permissions: + contents: read + jobs: update_component_versions: runs-on: ubuntu-latest