Set permissions for GHA workflows (#18728)

gravitational · Nov 23, 2022 · a6dfac7 · a6dfac7
1 parent 90a253b
commit a6dfac7
Show file tree

Hide file tree

Showing 16 changed files with 43 additions and 6 deletions.
diff --git a/.github/workflows/doc-tests.yaml b/.github/workflows/doc-tests.yaml
@@ -11,6 +11,9 @@ jobs:
     name: Lint (Docs)
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/docs:latest
       volumes:

diff --git a/.github/workflows/integration-tests-non-root.yaml b/.github/workflows/integration-tests-non-root.yaml
@@ -18,7 +18,6 @@ jobs:
 
     permissions:
       contents: read
-      id-token: write
       packages: read
 
     container:

diff --git a/.github/workflows/integration-tests-root.yaml b/.github/workflows/integration-tests-root.yaml
@@ -18,7 +18,6 @@ jobs:
 
     permissions:
       contents: read
-      id-token: write
 
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -11,6 +11,9 @@ jobs:
     name: Lint (Go)
     runs-on: ubuntu-22.04-16core
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       env:

diff --git a/.github/workflows/os-compatibility-test.yaml b/.github/workflows/os-compatibility-test.yaml
@@ -10,6 +10,10 @@ jobs:
   build:
     name: Build Artifacts
     runs-on: ubuntu-22.04-16core
+
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox-centos7:teleport12
       env:
@@ -36,6 +40,10 @@ jobs:
     needs: build
     name: Run Compatibility Test
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     steps:
       - name: Checkout
         uses: actions/checkout@v3

diff --git a/.github/workflows/unit-tests-code-bypass.yaml b/.github/workflows/unit-tests-code-bypass.yaml
@@ -10,5 +10,9 @@ jobs:
   test:
     name: Unit Tests (Go)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-code.yaml b/.github/workflows/unit-tests-code.yaml
@@ -18,7 +18,6 @@ jobs:
 
     permissions:
       contents: read
-      id-token: write
       packages: read
 
     container:

diff --git a/.github/workflows/unit-tests-helm-bypass.yaml b/.github/workflows/unit-tests-helm-bypass.yaml
@@ -11,5 +11,9 @@ jobs:
   test:
     name: Unit Tests (Helm)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-helm.yaml b/.github/workflows/unit-tests-helm.yaml
@@ -14,6 +14,9 @@ jobs:
     name: Unit Tests (Helm)
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       env:

diff --git a/.github/workflows/unit-tests-operator-bypass.yaml b/.github/workflows/unit-tests-operator-bypass.yaml
@@ -14,5 +14,9 @@ jobs:
   test:
     name: Unit Tests (Operator)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-operator.yaml b/.github/workflows/unit-tests-operator.yaml
@@ -18,6 +18,9 @@ jobs:
     name: Unit Tests (Operator)
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       options: --cap-add=SYS_ADMIN --privileged

diff --git a/.github/workflows/unit-tests-rust-bypass.yaml b/.github/workflows/unit-tests-rust-bypass.yaml
@@ -12,5 +12,9 @@ jobs:
   test:
     name: Unit Tests (Rust)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: none
+
     steps:
       - run: 'echo "No changes to verify"'
diff --git a/.github/workflows/unit-tests-rust.yaml b/.github/workflows/unit-tests-rust.yaml
@@ -15,6 +15,10 @@ jobs:
   test:
     name: Unit Tests (Rust)
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
     container:
       image: public.ecr.aws/gravitational/teleport-buildbox:teleport12
       options: --cap-add=SYS_ADMIN --privileged

diff --git a/api/types/database.go b/api/types/database.go
@@ -31,7 +31,7 @@ import (
 	azureutils "github.com/gravitational/teleport/api/utils/azure"
 )
 
-// Database represents a database proxied by a database server.
+// Database represents a single database proxied by a database server.
 type Database interface {
 	// ResourceWithLabels provides common resource methods.
 	ResourceWithLabels

diff --git a/examples/chart/teleport-kube-agent/Chart.yaml b/examples/chart/teleport-kube-agent/Chart.yaml
@@ -4,7 +4,7 @@ name: teleport-kube-agent
 apiVersion: v2
 version: *version
 appVersion: *version
-description: Teleport provides a secure SSH and Kubernetes remote access solution that doesn't get in the way.
+description: Teleport provides a secure SSH, Kubernetes, database and application remote access solution that doesn't get in the way.
 icon: https://goteleport.com/images/logos/logo-teleport-square.svg
 keywords:
   - Teleport
diff --git a/lib/srv/desktop/rdp/rdpclient/build.rs b/lib/srv/desktop/rdp/rdpclient/build.rs
@@ -21,7 +21,7 @@ fn main() {
         .unwrap();
 
     // atomically swap the header in place, just in case there's multiple
-    // compilations at the same time
+    // compilations at the same time.
     let out = tempfile::NamedTempFile::new_in(".").unwrap();
     bindings.write(&out);