diff --git a/.github/workflows/dependent-issues.yml b/.github/workflows/dependent-issues.yml index d38ef9be..9ce7f4a5 100644 --- a/.github/workflows/dependent-issues.yml +++ b/.github/workflows/dependent-issues.yml @@ -12,7 +12,6 @@ on: - edited - reopened - synchronize - # Schedule a daily check. Used in referencing cross-repository # issues or pull requests schedule: @@ -20,6 +19,10 @@ on: jobs: check: + permissions: + issues: write + pull-requests: write + statuses: write runs-on: ubuntu-latest steps: - uses: z0al/dependent-issues@v1 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 5abf1524..f5fa84fe 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -15,6 +15,9 @@ on: jobs: update_release_draft: + permissions: + contents: write + pull-requests: write runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "main" diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml index c5c8a5df..1b92563c 100644 --- a/.github/workflows/semantic-pr.yml +++ b/.github/workflows/semantic-pr.yml @@ -10,6 +10,10 @@ on: jobs: main: + permissions: + pull-requests: read + statuses: write + runs-on: ubuntu-latest steps: - uses: amannn/action-semantic-pull-request@v3.4.0 diff --git a/.github/workflows/test-ci-command.yml b/.github/workflows/test-ci-command.yml index e9c2b83f..888f8401 100644 --- a/.github/workflows/test-ci-command.yml +++ b/.github/workflows/test-ci-command.yml @@ -16,7 +16,7 @@ jobs: pull-requests: write if: github.repository_owner == 'cryostatio' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/build_test') steps: - - name: Fail if needs-triage label applied + - name: Fail if needs-triage label applied if: ${{ contains(github.event.issue.labels.*.name, 'needs-triage') }} run: exit 1 - name: Show warning if permission is denied @@ -43,14 +43,14 @@ jobs: repo, comment_id: context.payload.comment.id, content: "+1", - }); + }); - checkout-branch: + checkout-branch: runs-on: ubuntu-latest needs: [check-before-test] permissions: pull-requests: read - outputs: + outputs: PR_head_ref: ${{ fromJSON(steps.comment-branch.outputs.result).ref }} PR_num: ${{ fromJSON(steps.comment-branch.outputs.result).num }} PR_repo: ${{ fromJSON(steps.comment-branch.outputs.result).repo }} @@ -86,6 +86,8 @@ jobs: run-test-jobs: uses: ./.github/workflows/test-ci-reusable.yml needs: [get-test-image-tag, checkout-branch] + permissions: + packages: write with: repository: ${{ needs.checkout-branch.outputs.PR_repo }} ref: ${{ needs.checkout-branch.outputs.PR_head_ref }} diff --git a/.github/workflows/test-ci-reusable.yml b/.github/workflows/test-ci-reusable.yml index 6db63442..38a361c3 100644 --- a/.github/workflows/test-ci-reusable.yml +++ b/.github/workflows/test-ci-reusable.yml @@ -2,16 +2,16 @@ on: workflow_call: inputs: tag: - required: true + required: true type: string repository: required: false type: string ref: - required: false + required: false type: string -env: +env: OPENSUSE_UNOFFICIAL_LIBCONTAINERS_KEY_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04/Release.key" OPENSUSE_UNOFFICIAL_LIBCONTAINERS_SOURCE_URL: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_22.04" @@ -27,7 +27,7 @@ jobs: with: owner: ${{ github.repository_owner }} name: ${{ matrix.image }} - token: ${{ secrets.GHCR_PR_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} ignore-missing-package: true tag-regex: ${{ inputs.tag }} tagged-keep-latest: 0 @@ -80,7 +80,7 @@ jobs: tags: ${{ inputs.tag }} registry: ghcr.io/${{ github.repository_owner }} username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build operator image for test run: | OPERATOR_IMG=ghcr.io/${{ github.repository_owner }}/cryostat-operator:${{ inputs.tag }} \ @@ -94,7 +94,7 @@ jobs: tags: ${{ inputs.tag }} registry: ghcr.io/${{ github.repository_owner }} username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Build bundle image for test run: | yq -i '.spec.template.spec.imagePullSecrets = [{"name": "registry-key"}]' config/manager/manager.yaml @@ -109,7 +109,7 @@ jobs: tags: ${{ inputs.tag }} registry: ghcr.io/${{ github.repository_owner }} username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} + password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Kind cluster run: | kind create cluster --config=".github/kind-config.yaml" -n ci-${{ github.run_id }} @@ -124,14 +124,14 @@ jobs: with: registry: ghcr.io username: ${{ github.repository_owner }} - password: ${{ secrets.GHCR_PR_TOKEN }} + password: ${{ secrets.GITHUB_TOKEN }} auth_file_path: $HOME/.docker/config.json - name: Run scorecard tests run: | SCORECARD_REGISTRY_SERVER="ghcr.io" \ SCORECARD_REGISTRY_USERNAME="${{ github.repository_owner }}" \ - SCORECARD_REGISTRY_PASSWORD="${{ secrets.GHCR_PR_TOKEN }}" \ + SCORECARD_REGISTRY_PASSWORD="${{ secrets.GITHUB_TOKEN }}" \ BUNDLE_IMG="${{ steps.push-bundle-to-ghcr.outputs.registry-path }}" \ make test-scorecard - - name: Clean up Kind cluster + - name: Clean up Kind cluster run: kind delete cluster -n ci-${{ github.run_id }}