From 40030d0589f70eb6f52c4df78a936748eaf5bf0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 14:34:55 +0200 Subject: [PATCH 01/24] feat(.github/workflows): restrict appsec jobs to content read-only permission --- .github/workflows/appsec.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/appsec.yml b/.github/workflows/appsec.yml index f913f17fdf..3154d5d852 100644 --- a/.github/workflows/appsec.yml +++ b/.github/workflows/appsec.yml @@ -40,6 +40,9 @@ concurrency: # Automatically cancel previous runs if a new one is triggered to conserve resources. group: ${{ github.workflow }}-${{ github.event_name }}-${{ github.ref }} +permissions: + contents: read + jobs: # Prepare the cache of Go modules to share it will the other jobs. # This maximizes cache hits and minimizes the time spent downloading Go modules. From 74de752a0ed881db0cb785b754880d0731e7f759 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 14:49:10 +0200 Subject: [PATCH 02/24] feat(.github/workflows): restrict DataDog Static Analysis jobs to right permissions --- .github/workflows/datadog-static-analysis.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml index 8094914c28..9a00adaad1 100644 --- a/.github/workflows/datadog-static-analysis.yml +++ b/.github/workflows/datadog-static-analysis.yml @@ -2,6 +2,10 @@ on: [push] name: Datadog Static Analysis +permissions: + contents: read + pull-requests: write + jobs: static-analysis: runs-on: ubuntu-latest From 626644241def2fb318daa3e335505f6ef95a2037 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 14:51:04 +0200 Subject: [PATCH 03/24] chore: trigger DataDog Static Analysis --- .github/workflows/system-tests.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index 78386d4edb..336c957619 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -27,6 +27,8 @@ on: schedule: - cron: '00 04 * * 2-6' +# Let's trigger DataDog Static Analysis with a fake modification + jobs: system-tests: if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go') From 8e52c1133d65fd7478a4f1e6c1501402bfa73460 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 15:02:43 +0200 Subject: [PATCH 04/24] chore: trigger DataDog Static Analysis with fake bearer token --- .github/workflows/system-tests.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index 336c957619..500a4d0376 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -27,8 +27,6 @@ on: schedule: - cron: '00 04 * * 2-6' -# Let's trigger DataDog Static Analysis with a fake modification - jobs: system-tests: if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go') @@ -105,6 +103,8 @@ jobs: DD_API_KEY: ${{ secrets.DD_API_KEY }} SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }} SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }} + # Let's trigger DataDog Static Analysis with a fake bearer token + fake_api_key: "BEARER lwqjedqwdoqwidmoqwndun32i" name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }}) steps: - name: Checkout system tests From c2b550fd546f9baf57ab4ddacc9057e207187426 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 15:07:45 +0200 Subject: [PATCH 05/24] chore: trigger DataDog Static Analysis with fake bearer token in Go code --- .github/workflows/system-tests.yml | 2 -- internal/appsec/waf_test.go | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index 500a4d0376..78386d4edb 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -103,8 +103,6 @@ jobs: DD_API_KEY: ${{ secrets.DD_API_KEY }} SYSTEM_TESTS_E2E_DD_API_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_API_KEY }} SYSTEM_TESTS_E2E_DD_APP_KEY: ${{ secrets.SYSTEM_TESTS_E2E_DD_APP_KEY }} - # Let's trigger DataDog Static Analysis with a fake bearer token - fake_api_key: "BEARER lwqjedqwdoqwidmoqwndun32i" name: Test (${{ matrix.weblog-variant }}, ${{ matrix.scenario }}) steps: - name: Checkout system tests diff --git a/internal/appsec/waf_test.go b/internal/appsec/waf_test.go index 93911e7736..a1d7aee14b 100644 --- a/internal/appsec/waf_test.go +++ b/internal/appsec/waf_test.go @@ -252,6 +252,7 @@ func TestWAF(t *testing.T) { // Form value detected by a XSS attack that should be obfuscated by the // obfuscator value regex. + const _ = `BEARER lwqjedqwdoqwidmoqwndun32i` const sensitivePayloadValue = `BEARER lwqjedqwdoqwidmoqwndun32i` form.Add("payload", ` { From e602ec726297a28415b0f43d09c061b5dc257e8c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 15:13:56 +0200 Subject: [PATCH 06/24] feat: reduce DataDog Static Analysis to content read-only permission --- .github/workflows/datadog-static-analysis.yml | 1 - internal/appsec/waf_test.go | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml index 9a00adaad1..6a421086ea 100644 --- a/.github/workflows/datadog-static-analysis.yml +++ b/.github/workflows/datadog-static-analysis.yml @@ -4,7 +4,6 @@ name: Datadog Static Analysis permissions: contents: read - pull-requests: write jobs: static-analysis: diff --git a/internal/appsec/waf_test.go b/internal/appsec/waf_test.go index a1d7aee14b..93911e7736 100644 --- a/internal/appsec/waf_test.go +++ b/internal/appsec/waf_test.go @@ -252,7 +252,6 @@ func TestWAF(t *testing.T) { // Form value detected by a XSS attack that should be obfuscated by the // obfuscator value regex. - const _ = `BEARER lwqjedqwdoqwidmoqwndun32i` const sensitivePayloadValue = `BEARER lwqjedqwdoqwidmoqwndun32i` form.Add("payload", ` { From 4d21ee5bab334b6f39381c99e39d0921cef43002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 15:29:05 +0200 Subject: [PATCH 07/24] feat: reduce ecosystems labels' jobs to right permissions --- ...systems-label-issue copy.yml => ecosystems-label-issue.yml} | 3 +++ .github/workflows/ecosystems-label-pr.yml | 3 +++ 2 files changed, 6 insertions(+) rename .github/workflows/{ecosystems-label-issue copy.yml => ecosystems-label-issue.yml} (90%) diff --git a/.github/workflows/ecosystems-label-issue copy.yml b/.github/workflows/ecosystems-label-issue.yml similarity index 90% rename from .github/workflows/ecosystems-label-issue copy.yml rename to .github/workflows/ecosystems-label-issue.yml index f63226c003..29853e45bc 100644 --- a/.github/workflows/ecosystems-label-issue copy.yml +++ b/.github/workflows/ecosystems-label-issue.yml @@ -5,6 +5,9 @@ on: - reopened - opened - edited +permissions: + contents: read + issues: write jobs: label_issues: if: contains(github.event.issue.title, 'contrib') diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml index 36f35b5422..48ca61a5d7 100644 --- a/.github/workflows/ecosystems-label-pr.yml +++ b/.github/workflows/ecosystems-label-pr.yml @@ -7,6 +7,9 @@ on: - opened - reopened - edited +permissions: + contents: read + issues: write jobs: label_issues: runs-on: ubuntu-latest From 817c082772523cf44e6256ebfdffaac40a96539d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 15:31:41 +0200 Subject: [PATCH 08/24] chore: trigger ecosystems labelling --- contrib/go-chi/chi.v5/chi.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contrib/go-chi/chi.v5/chi.go b/contrib/go-chi/chi.v5/chi.go index 8caddf092a..9e2b171067 100644 --- a/contrib/go-chi/chi.v5/chi.go +++ b/contrib/go-chi/chi.v5/chi.go @@ -23,6 +23,8 @@ import ( "github.com/go-chi/chi/v5/middleware" ) +// Let's trigger ecosystems labelling + const componentName = "go-chi/chi.v5" func init() { From cc1e82e1399734601c8e9d37d46a0721cc896053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 15:51:02 +0200 Subject: [PATCH 09/24] feat: reduce govunlcheck jobs to right permissions --- .github/workflows/govulncheck.yml | 3 +++ contrib/go-chi/chi.v5/chi.go | 2 -- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/govulncheck.yml b/.github/workflows/govulncheck.yml index 152b5b50b8..eaf5ed78d9 100644 --- a/.github/workflows/govulncheck.yml +++ b/.github/workflows/govulncheck.yml @@ -14,6 +14,9 @@ on: - cron: '00 00 * * *' workflow_dispatch: +permissions: + contents: read + jobs: govulncheck-tests: runs-on: ubuntu-latest diff --git a/contrib/go-chi/chi.v5/chi.go b/contrib/go-chi/chi.v5/chi.go index 9e2b171067..8caddf092a 100644 --- a/contrib/go-chi/chi.v5/chi.go +++ b/contrib/go-chi/chi.v5/chi.go @@ -23,8 +23,6 @@ import ( "github.com/go-chi/chi/v5/middleware" ) -// Let's trigger ecosystems labelling - const componentName = "go-chi/chi.v5" func init() { From 32887a09907ba5240ae517ca31ffc9a5d74a4bb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:00:34 +0200 Subject: [PATCH 10/24] feat: reduce main branch, multi OS unit tests, and integration tests' jobs to right permissions --- .github/workflows/main-branch-tests.yml | 1 + .github/workflows/multios-unit-tests.yml | 3 +++ .github/workflows/unit-integration-tests.yml | 3 +++ 3 files changed, 7 insertions(+) diff --git a/.github/workflows/main-branch-tests.yml b/.github/workflows/main-branch-tests.yml index 96e4c7ea25..a582dc2947 100644 --- a/.github/workflows/main-branch-tests.yml +++ b/.github/workflows/main-branch-tests.yml @@ -11,6 +11,7 @@ on: branches: - main - release-v* + - dario.castane/VULN-8316/insecure-default-workflow-permissions tags: - "**" diff --git a/.github/workflows/multios-unit-tests.yml b/.github/workflows/multios-unit-tests.yml index 3ca8900602..1cdd9191b6 100644 --- a/.github/workflows/multios-unit-tests.yml +++ b/.github/workflows/multios-unit-tests.yml @@ -29,6 +29,9 @@ on: env: DD_APPSEC_WAF_TIMEOUT: 1m # Increase time WAF time budget to reduce CI flakiness +permissions: + contents: read + jobs: test-multi-os: runs-on: "${{ inputs.runs-on }}" diff --git a/.github/workflows/unit-integration-tests.yml b/.github/workflows/unit-integration-tests.yml index 040fbb62f3..ac32bd9ada 100644 --- a/.github/workflows/unit-integration-tests.yml +++ b/.github/workflows/unit-integration-tests.yml @@ -20,6 +20,9 @@ env: # without having to download a newer one. GOTOOLCHAIN: local +permissions: + contents: read + jobs: copyright: runs-on: ubuntu-latest From 3d2afe0bc2ea58bb10450fbc5f2812b654cdb102 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:06:24 +0200 Subject: [PATCH 11/24] feat: reduce parametric tests' jobs to right permissions --- .github/workflows/main-branch-tests.yml | 1 - .github/workflows/parametric-tests.yml | 3 +++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main-branch-tests.yml b/.github/workflows/main-branch-tests.yml index a582dc2947..96e4c7ea25 100644 --- a/.github/workflows/main-branch-tests.yml +++ b/.github/workflows/main-branch-tests.yml @@ -11,7 +11,6 @@ on: branches: - main - release-v* - - dario.castane/VULN-8316/insecure-default-workflow-permissions tags: - "**" diff --git a/.github/workflows/parametric-tests.yml b/.github/workflows/parametric-tests.yml index 5a91d0e3ce..a25c01a2c3 100644 --- a/.github/workflows/parametric-tests.yml +++ b/.github/workflows/parametric-tests.yml @@ -21,6 +21,9 @@ on: schedule: - cron: '00 04 * * 2-6' +permissions: + contents: read + jobs: parametric-tests: if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go') From 5b7dd56d7090c7804a3b130804e50097d8daef59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:15:45 +0200 Subject: [PATCH 12/24] feat: reduce smoke tests' jobs to right permissions --- .github/workflows/smoke-tests.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml index 69d6bce9ca..daada0b622 100644 --- a/.github/workflows/smoke-tests.yml +++ b/.github/workflows/smoke-tests.yml @@ -15,6 +15,7 @@ on: branches: - main - release-v* + - dario.castane/VULN-8316/insecure-default-workflow-permissions tags: - '**' schedule: # nightly @@ -27,6 +28,9 @@ on: env: TEST_RESULTS: /tmp/test-results # path to where test results will be saved +permissions: + contents: read + jobs: go-get-u: # Run go get -u to upgrade dd-trace-go dependencies to their From 5398051f87c7ea7a56c2a8d9c162db1ce2fb5938 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:22:34 +0200 Subject: [PATCH 13/24] feat: reduce stale labelling's jobs to right permissions --- .github/workflows/stale.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index caec4742e2..24ffaae4da 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,6 +4,10 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + issues: write + jobs: stale: runs-on: ubuntu-latest From 3f11d131ef8459bfba00df11d9151cec3ffd15ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:24:46 +0200 Subject: [PATCH 14/24] feat: reduce system tests' jobs to right permissions --- .github/workflows/system-tests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/system-tests.yml b/.github/workflows/system-tests.yml index 78386d4edb..0ac4ff6a2f 100644 --- a/.github/workflows/system-tests.yml +++ b/.github/workflows/system-tests.yml @@ -27,6 +27,9 @@ on: schedule: - cron: '00 04 * * 2-6' +permissions: + contents: read + jobs: system-tests: if: github.event_name != 'pull_request' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'DataDog/dd-trace-go') From 8f843c8f89c394f7376f9ad428007f9af24c2018 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:27:18 +0200 Subject: [PATCH 15/24] feat: reduce test apps' jobs to right permissions --- .github/workflows/test-apps.cue | 4 ++++ .github/workflows/test-apps.yml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/.github/workflows/test-apps.cue b/.github/workflows/test-apps.cue index 72e6953cef..1f45dea13b 100644 --- a/.github/workflows/test-apps.cue +++ b/.github/workflows/test-apps.cue @@ -115,6 +115,10 @@ env: { DD_TAGS: "github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs['arg: tags'] }}", } +permissions: { + contents: "read", +} + jobs: { for i, scenario in #scenarios { for j, env in #envs { diff --git a/.github/workflows/test-apps.yml b/.github/workflows/test-apps.yml index 95044a8564..bff3c60c53 100644 --- a/.github/workflows/test-apps.yml +++ b/.github/workflows/test-apps.yml @@ -64,6 +64,8 @@ name: Test Apps env: DD_ENV: github DD_TAGS: 'github_run_id:${{ github.run_id }} github_run_number:${{ github.run_number }} ${{ inputs[''arg: tags''] }}' +permissions: + contents: read jobs: job-0-0: name: unit-of-work/v1 (prod) From 5f258471cfd036a1d577023b6cad21e548b31001 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:36:58 +0200 Subject: [PATCH 16/24] chore: drop current PR branch from smoke-tests --- .github/workflows/smoke-tests.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/smoke-tests.yml b/.github/workflows/smoke-tests.yml index daada0b622..681f039094 100644 --- a/.github/workflows/smoke-tests.yml +++ b/.github/workflows/smoke-tests.yml @@ -15,7 +15,6 @@ on: branches: - main - release-v* - - dario.castane/VULN-8316/insecure-default-workflow-permissions tags: - '**' schedule: # nightly From 4a56998ec81b0a83298b397c19146356a7b6e20f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:38:47 +0200 Subject: [PATCH 17/24] chore: test ecosystems-label-pr job --- .github/workflows/ecosystems-label-pr.yml | 8 ++++---- contrib/go-chi/chi/chi.go | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml index 48ca61a5d7..7a3ababe34 100644 --- a/.github/workflows/ecosystems-label-pr.yml +++ b/.github/workflows/ecosystems-label-pr.yml @@ -3,10 +3,10 @@ on: pull_request: paths: - "contrib/**" - types: - - opened - - reopened - - edited +# types: +# - opened +# - reopened +# - edited permissions: contents: read issues: write diff --git a/contrib/go-chi/chi/chi.go b/contrib/go-chi/chi/chi.go index 370bf06cd2..5d30b1af85 100644 --- a/contrib/go-chi/chi/chi.go +++ b/contrib/go-chi/chi/chi.go @@ -6,6 +6,8 @@ // Package chi provides tracing functions for tracing the go-chi/chi package (https://github.com/go-chi/chi). package chi // import "gopkg.in/DataDog/dd-trace-go.v1/contrib/go-chi/chi" +// Let's trigger our ecosystems labeller + import ( "fmt" "math" From a8c9d63271ff523f2f11de04161a4c0c9df7d8e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 16:52:55 +0200 Subject: [PATCH 18/24] chore: test ecosystems-label-pr job with contents write permission --- .github/workflows/ecosystems-label-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml index 7a3ababe34..1417c29ba1 100644 --- a/.github/workflows/ecosystems-label-pr.yml +++ b/.github/workflows/ecosystems-label-pr.yml @@ -8,7 +8,7 @@ on: # - reopened # - edited permissions: - contents: read + contents: write issues: write jobs: label_issues: From 289fc749e0dad3dc115a8e0000724ef73e951852 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 17:26:55 +0200 Subject: [PATCH 19/24] chore: test ecosystems-label-pr job with permissions at job level --- .github/workflows/ecosystems-label-pr.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml index 1417c29ba1..8737d819cf 100644 --- a/.github/workflows/ecosystems-label-pr.yml +++ b/.github/workflows/ecosystems-label-pr.yml @@ -7,12 +7,12 @@ on: # - opened # - reopened # - edited -permissions: - contents: write - issues: write jobs: label_issues: runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: # https://github.com/marketplace/actions/actions-ecosystem-add-labels - name: add label From 857051a779a1cc5a87e17325a05a15d5cc45cdf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 18:08:06 +0200 Subject: [PATCH 20/24] chore: test ecosystems-label-pr job with pull-requests permission --- .github/workflows/ecosystems-label-pr.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml index 8737d819cf..93b0459b79 100644 --- a/.github/workflows/ecosystems-label-pr.yml +++ b/.github/workflows/ecosystems-label-pr.yml @@ -7,12 +7,15 @@ on: # - opened # - reopened # - edited + +permissions: + contents: read + issues: write + pull-requests: write + jobs: label_issues: runs-on: ubuntu-latest - permissions: - contents: read - issues: write steps: # https://github.com/marketplace/actions/actions-ecosystem-add-labels - name: add label From 0b2f345c98b42cb74189e4a7946a5a1d4b07bf43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 18:10:03 +0200 Subject: [PATCH 21/24] chore: test ecosystems-label-pr job without issues permission --- .github/workflows/ecosystems-label-pr.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml index 93b0459b79..ea509c00fb 100644 --- a/.github/workflows/ecosystems-label-pr.yml +++ b/.github/workflows/ecosystems-label-pr.yml @@ -10,7 +10,6 @@ on: permissions: contents: read - issues: write pull-requests: write jobs: From 059968f0f6f348edb95096155716aa173c964718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 18:12:31 +0200 Subject: [PATCH 22/24] chore: restrict ecosystems-label-pr job to specific types for PRs --- .github/workflows/ecosystems-label-pr.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ecosystems-label-pr.yml b/.github/workflows/ecosystems-label-pr.yml index ea509c00fb..4cadafd3e7 100644 --- a/.github/workflows/ecosystems-label-pr.yml +++ b/.github/workflows/ecosystems-label-pr.yml @@ -3,15 +3,13 @@ on: pull_request: paths: - "contrib/**" -# types: -# - opened -# - reopened -# - edited - + types: + - opened + - reopened + - edited permissions: contents: read pull-requests: write - jobs: label_issues: runs-on: ubuntu-latest From 4d20359603ad2bbc89dfcb46174ad7b6d2390811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 18:13:14 +0200 Subject: [PATCH 23/24] chore: remove contrib fake edit to trigger labeller --- contrib/go-chi/chi/chi.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/contrib/go-chi/chi/chi.go b/contrib/go-chi/chi/chi.go index 5d30b1af85..370bf06cd2 100644 --- a/contrib/go-chi/chi/chi.go +++ b/contrib/go-chi/chi/chi.go @@ -6,8 +6,6 @@ // Package chi provides tracing functions for tracing the go-chi/chi package (https://github.com/go-chi/chi). package chi // import "gopkg.in/DataDog/dd-trace-go.v1/contrib/go-chi/chi" -// Let's trigger our ecosystems labeller - import ( "fmt" "math" From ac793cffb372421dc0ab85495953365881690136 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dario=20Casta=C3=B1=C3=A9?= Date: Mon, 9 Sep 2024 18:14:32 +0200 Subject: [PATCH 24/24] feat: add pull-requests write permission to DataDog Static Analysis' jobs --- .github/workflows/datadog-static-analysis.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/datadog-static-analysis.yml b/.github/workflows/datadog-static-analysis.yml index 6a421086ea..9a00adaad1 100644 --- a/.github/workflows/datadog-static-analysis.yml +++ b/.github/workflows/datadog-static-analysis.yml @@ -4,6 +4,7 @@ name: Datadog Static Analysis permissions: contents: read + pull-requests: write jobs: static-analysis: