Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2024-10-01 01:36:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

Minimal GitHub Action token permissions. (#1104)

Browse Source 
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
This commit is contained in:
Fabian Kammel 2023-01-30 16:11:27 +01:00 committed by GitHub
parent 32848db0b1
commit 48c8a66114
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 55 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/actions/build_micro_service/action.yml vendored
View File

@ -1,3 +1,8 @@
# Required permissions:
#
# permissions:
# packages: write # for docker/build-push-action
#
name: Build micro service
description: Build and upload a container image for a Constellation micro-service
inputs:

2
.github/workflows/azure-snp-reporter.yml vendored
View File

@ -8,6 +8,8 @@ jobs:
build-snp-reporter:
name: "Build SNP-reporter container"
runs-on: ubuntu-22.04
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

4
.github/workflows/build-os-image-scheduled.yml vendored
View File

@ -34,6 +34,10 @@ jobs:
build-image:
needs: stream
uses: ./.github/workflows/build-os-image.yml
permissions:
id-token: write
contents: read
packages: read
secrets: inherit
with:
stream: ${{ needs.stream.outputs.stream }}

3
.github/workflows/build-os-image.yml vendored
View File

@ -774,6 +774,9 @@ jobs:
needs: [upload-image-lookup-table, build-settings]
name: "Add version to versionsapi"
if: needs.build-settings.outputs.ref != '-'
permissions:
contents: read
id-token: write
uses: ./.github/workflows/versionsapi.yml
with:
command: add

7
.github/workflows/e2e-mini.yml vendored
View File

@ -14,14 +14,13 @@ on:
description: "Git ref to checkout"
required: true
permissions:
id-token: write
contents: read
jobs:
e2e-mini:
runs-on: ubuntu-22.04
environment: e2e
permissions:
id-token: write
contents: read
steps:
- name: Checkout
id: checkout

35
.github/workflows/release.yml vendored
View File

@ -60,6 +60,8 @@ jobs:
runs-on: ubuntu-22.04
if: inputs.kind == 'minor'
needs: verify-inputs
permissions:
contents: write
env:
VERSION: ${{ inputs.version }}
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
@ -94,6 +96,8 @@ jobs:
name: Prepare release branch
runs-on: ubuntu-22.04
needs: verify-inputs
permissions:
contents: write
env:
BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
steps:
@ -114,6 +118,9 @@ jobs:
name: Build micro services
needs: [verify-inputs, prepare-release-branch]
uses: ./.github/workflows/build-micro-service-manual.yml
permissions:
contents: read
packages: write
secrets: inherit
strategy:
matrix:
@ -131,6 +138,9 @@ jobs:
needs: [verify-inputs, prepare-release-branch]
secrets: inherit
uses: ./.github/workflows/build-operator-manual.yml
permissions:
contents: read
packages: write
with:
imageTag: ${{ inputs.version }}
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@ -140,6 +150,8 @@ jobs:
name: Update container image versions
needs: [verify-inputs, micro-services, constellation-node-operator]
runs-on: ubuntu-22.04
permissions:
contents: write
env:
VERSION: ${{ inputs.version }}
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
@ -199,6 +211,10 @@ jobs:
name: Build OS image
needs: [verify-inputs, update-versions]
uses: ./.github/workflows/build-os-image.yml
permissions:
id-token: write
contents: read
packages: read
secrets: inherit
with:
imageVersion: ${{ inputs.version }}
@ -210,6 +226,9 @@ jobs:
name: Generate OS image measurements
needs: [verify-inputs, os-image]
uses: ./.github/workflows/generate-measurements.yml
permissions:
id-token: write
contents: read
secrets: inherit
with:
osImage: ${{ inputs.version }}
@ -221,6 +240,8 @@ jobs:
update-hardcoded-measurements:
name: Update hardcoded measurements (in the CLI)
needs: [verify-inputs, generate-measurements]
permissions:
contents: write
runs-on: ubuntu-22.04
env:
VERSION: ${{ inputs.version }}
@ -263,6 +284,9 @@ jobs:
runner: [ubuntu-22.04, macos-12]
csp: [aws, azure, gcp]
uses: ./.github/workflows/e2e-test-manual.yml
permissions:
id-token: write
contents: read
with:
workerNodesCount: 2
controlNodesCount: 3
@ -279,6 +303,9 @@ jobs:
name: Run E2E tests for mini Constellation
needs: [verify-inputs, update-hardcoded-measurements]
uses: ./.github/workflows/e2e-mini.yml
permissions:
id-token: write
contents: read
secrets: inherit
with:
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
@ -287,6 +314,8 @@ jobs:
name: Tag release
needs: [verify-inputs, e2e-tests, e2e-mini]
runs-on: ubuntu-22.04
permissions:
contents: write
env:
VERSION: ${{ inputs.version }}
steps:
@ -306,6 +335,10 @@ jobs:
name: Draft release (CLI)
needs: [verify-inputs, tag-release]
uses: ./.github/workflows/release-cli.yml
permissions:
actions: read
contents: write
id-token: write
secrets: inherit
with:
ref: "refs/tags/${{ inputs.version }}"
@ -314,6 +347,8 @@ jobs:
name: PR to Merge changes from release branch into main
if: inputs.kind == 'minor'
runs-on: ubuntu-22.04
permissions:
contents: write
needs: [verify-inputs, tag-release]
env:
VERSION: ${{ inputs.version }}

2
.github/workflows/scorecard.yml vendored
View File

@ -6,8 +6,6 @@ on:
branches:
- main
permissions: read-all
jobs:
analysis:
name: Scorecard analysis

5
.github/workflows/test-lint.yml vendored
View File

@ -18,11 +18,6 @@ on:
- "**/go.sum"
- "./github/workflows/test-lint.yml"
permissions:
contents: read
# Allow read access to pull request. Use with `only-new-issues` option.
pull-requests: read
jobs:
golangci:
name: lint

7
.github/workflows/test-tfsec.yml vendored
View File

@ -14,14 +14,13 @@ on:
- "**.tf"
- "./github/workflows/test-tfsec.yml"
permissions:
contents: read
pull-requests: write
jobs:
tfsec:
name: tfsec
runs-on: ubuntu-22.04
permissions:
contents: read
pull-requests: write
steps:
- name: Checkout
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0