mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-07-26 00:35:19 -04:00
Minimal GitHub Action token permissions. (#1104)
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
This commit is contained in:
parent
32848db0b1
commit
48c8a66114
9 changed files with 55 additions and 15 deletions
|
@ -1,3 +1,8 @@
|
||||||
|
# Required permissions:
|
||||||
|
#
|
||||||
|
# permissions:
|
||||||
|
# packages: write # for docker/build-push-action
|
||||||
|
#
|
||||||
name: Build micro service
|
name: Build micro service
|
||||||
description: Build and upload a container image for a Constellation micro-service
|
description: Build and upload a container image for a Constellation micro-service
|
||||||
inputs:
|
inputs:
|
||||||
|
|
2
.github/workflows/azure-snp-reporter.yml
vendored
2
.github/workflows/azure-snp-reporter.yml
vendored
|
@ -8,6 +8,8 @@ jobs:
|
||||||
build-snp-reporter:
|
build-snp-reporter:
|
||||||
name: "Build SNP-reporter container"
|
name: "Build SNP-reporter container"
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
permissions:
|
||||||
|
packages: write
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||||
|
|
|
@ -34,6 +34,10 @@ jobs:
|
||||||
build-image:
|
build-image:
|
||||||
needs: stream
|
needs: stream
|
||||||
uses: ./.github/workflows/build-os-image.yml
|
uses: ./.github/workflows/build-os-image.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
|
packages: read
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
with:
|
with:
|
||||||
stream: ${{ needs.stream.outputs.stream }}
|
stream: ${{ needs.stream.outputs.stream }}
|
||||||
|
|
3
.github/workflows/build-os-image.yml
vendored
3
.github/workflows/build-os-image.yml
vendored
|
@ -774,6 +774,9 @@ jobs:
|
||||||
needs: [upload-image-lookup-table, build-settings]
|
needs: [upload-image-lookup-table, build-settings]
|
||||||
name: "Add version to versionsapi"
|
name: "Add version to versionsapi"
|
||||||
if: needs.build-settings.outputs.ref != '-'
|
if: needs.build-settings.outputs.ref != '-'
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
id-token: write
|
||||||
uses: ./.github/workflows/versionsapi.yml
|
uses: ./.github/workflows/versionsapi.yml
|
||||||
with:
|
with:
|
||||||
command: add
|
command: add
|
||||||
|
|
7
.github/workflows/e2e-mini.yml
vendored
7
.github/workflows/e2e-mini.yml
vendored
|
@ -14,14 +14,13 @@ on:
|
||||||
description: "Git ref to checkout"
|
description: "Git ref to checkout"
|
||||||
required: true
|
required: true
|
||||||
|
|
||||||
permissions:
|
|
||||||
id-token: write
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
e2e-mini:
|
e2e-mini:
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
environment: e2e
|
environment: e2e
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
id: checkout
|
id: checkout
|
||||||
|
|
35
.github/workflows/release.yml
vendored
35
.github/workflows/release.yml
vendored
|
@ -60,6 +60,8 @@ jobs:
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
if: inputs.kind == 'minor'
|
if: inputs.kind == 'minor'
|
||||||
needs: verify-inputs
|
needs: verify-inputs
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
env:
|
env:
|
||||||
VERSION: ${{ inputs.version }}
|
VERSION: ${{ inputs.version }}
|
||||||
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
|
MAJOR_MINOR: ${{ needs.verify-inputs.outputs.MAJOR_MINOR }}
|
||||||
|
@ -94,6 +96,8 @@ jobs:
|
||||||
name: Prepare release branch
|
name: Prepare release branch
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
needs: verify-inputs
|
needs: verify-inputs
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
env:
|
env:
|
||||||
BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
BRANCH: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
||||||
steps:
|
steps:
|
||||||
|
@ -114,6 +118,9 @@ jobs:
|
||||||
name: Build micro services
|
name: Build micro services
|
||||||
needs: [verify-inputs, prepare-release-branch]
|
needs: [verify-inputs, prepare-release-branch]
|
||||||
uses: ./.github/workflows/build-micro-service-manual.yml
|
uses: ./.github/workflows/build-micro-service-manual.yml
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
packages: write
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
|
@ -131,6 +138,9 @@ jobs:
|
||||||
needs: [verify-inputs, prepare-release-branch]
|
needs: [verify-inputs, prepare-release-branch]
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
uses: ./.github/workflows/build-operator-manual.yml
|
uses: ./.github/workflows/build-operator-manual.yml
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
packages: write
|
||||||
with:
|
with:
|
||||||
imageTag: ${{ inputs.version }}
|
imageTag: ${{ inputs.version }}
|
||||||
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
||||||
|
@ -140,6 +150,8 @@ jobs:
|
||||||
name: Update container image versions
|
name: Update container image versions
|
||||||
needs: [verify-inputs, micro-services, constellation-node-operator]
|
needs: [verify-inputs, micro-services, constellation-node-operator]
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
env:
|
env:
|
||||||
VERSION: ${{ inputs.version }}
|
VERSION: ${{ inputs.version }}
|
||||||
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
|
WITHOUT_V: ${{ needs.verify-inputs.outputs.WITHOUT_V }}
|
||||||
|
@ -199,6 +211,10 @@ jobs:
|
||||||
name: Build OS image
|
name: Build OS image
|
||||||
needs: [verify-inputs, update-versions]
|
needs: [verify-inputs, update-versions]
|
||||||
uses: ./.github/workflows/build-os-image.yml
|
uses: ./.github/workflows/build-os-image.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
|
packages: read
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
with:
|
with:
|
||||||
imageVersion: ${{ inputs.version }}
|
imageVersion: ${{ inputs.version }}
|
||||||
|
@ -210,6 +226,9 @@ jobs:
|
||||||
name: Generate OS image measurements
|
name: Generate OS image measurements
|
||||||
needs: [verify-inputs, os-image]
|
needs: [verify-inputs, os-image]
|
||||||
uses: ./.github/workflows/generate-measurements.yml
|
uses: ./.github/workflows/generate-measurements.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
with:
|
with:
|
||||||
osImage: ${{ inputs.version }}
|
osImage: ${{ inputs.version }}
|
||||||
|
@ -221,6 +240,8 @@ jobs:
|
||||||
update-hardcoded-measurements:
|
update-hardcoded-measurements:
|
||||||
name: Update hardcoded measurements (in the CLI)
|
name: Update hardcoded measurements (in the CLI)
|
||||||
needs: [verify-inputs, generate-measurements]
|
needs: [verify-inputs, generate-measurements]
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
env:
|
env:
|
||||||
VERSION: ${{ inputs.version }}
|
VERSION: ${{ inputs.version }}
|
||||||
|
@ -263,6 +284,9 @@ jobs:
|
||||||
runner: [ubuntu-22.04, macos-12]
|
runner: [ubuntu-22.04, macos-12]
|
||||||
csp: [aws, azure, gcp]
|
csp: [aws, azure, gcp]
|
||||||
uses: ./.github/workflows/e2e-test-manual.yml
|
uses: ./.github/workflows/e2e-test-manual.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
with:
|
with:
|
||||||
workerNodesCount: 2
|
workerNodesCount: 2
|
||||||
controlNodesCount: 3
|
controlNodesCount: 3
|
||||||
|
@ -279,6 +303,9 @@ jobs:
|
||||||
name: Run E2E tests for mini Constellation
|
name: Run E2E tests for mini Constellation
|
||||||
needs: [verify-inputs, update-hardcoded-measurements]
|
needs: [verify-inputs, update-hardcoded-measurements]
|
||||||
uses: ./.github/workflows/e2e-mini.yml
|
uses: ./.github/workflows/e2e-mini.yml
|
||||||
|
permissions:
|
||||||
|
id-token: write
|
||||||
|
contents: read
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
with:
|
with:
|
||||||
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
ref: ${{ needs.verify-inputs.outputs.RELEASE_BRANCH }}
|
||||||
|
@ -287,6 +314,8 @@ jobs:
|
||||||
name: Tag release
|
name: Tag release
|
||||||
needs: [verify-inputs, e2e-tests, e2e-mini]
|
needs: [verify-inputs, e2e-tests, e2e-mini]
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
env:
|
env:
|
||||||
VERSION: ${{ inputs.version }}
|
VERSION: ${{ inputs.version }}
|
||||||
steps:
|
steps:
|
||||||
|
@ -306,6 +335,10 @@ jobs:
|
||||||
name: Draft release (CLI)
|
name: Draft release (CLI)
|
||||||
needs: [verify-inputs, tag-release]
|
needs: [verify-inputs, tag-release]
|
||||||
uses: ./.github/workflows/release-cli.yml
|
uses: ./.github/workflows/release-cli.yml
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
contents: write
|
||||||
|
id-token: write
|
||||||
secrets: inherit
|
secrets: inherit
|
||||||
with:
|
with:
|
||||||
ref: "refs/tags/${{ inputs.version }}"
|
ref: "refs/tags/${{ inputs.version }}"
|
||||||
|
@ -314,6 +347,8 @@ jobs:
|
||||||
name: PR to Merge changes from release branch into main
|
name: PR to Merge changes from release branch into main
|
||||||
if: inputs.kind == 'minor'
|
if: inputs.kind == 'minor'
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
needs: [verify-inputs, tag-release]
|
needs: [verify-inputs, tag-release]
|
||||||
env:
|
env:
|
||||||
VERSION: ${{ inputs.version }}
|
VERSION: ${{ inputs.version }}
|
||||||
|
|
2
.github/workflows/scorecard.yml
vendored
2
.github/workflows/scorecard.yml
vendored
|
@ -6,8 +6,6 @@ on:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
|
|
||||||
permissions: read-all
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
analysis:
|
analysis:
|
||||||
name: Scorecard analysis
|
name: Scorecard analysis
|
||||||
|
|
5
.github/workflows/test-lint.yml
vendored
5
.github/workflows/test-lint.yml
vendored
|
@ -18,11 +18,6 @@ on:
|
||||||
- "**/go.sum"
|
- "**/go.sum"
|
||||||
- "./github/workflows/test-lint.yml"
|
- "./github/workflows/test-lint.yml"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
# Allow read access to pull request. Use with `only-new-issues` option.
|
|
||||||
pull-requests: read
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
golangci:
|
golangci:
|
||||||
name: lint
|
name: lint
|
||||||
|
|
7
.github/workflows/test-tfsec.yml
vendored
7
.github/workflows/test-tfsec.yml
vendored
|
@ -14,14 +14,13 @@ on:
|
||||||
- "**.tf"
|
- "**.tf"
|
||||||
- "./github/workflows/test-tfsec.yml"
|
- "./github/workflows/test-tfsec.yml"
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
tfsec:
|
tfsec:
|
||||||
name: tfsec
|
name: tfsec
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
pull-requests: write
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue