Skip to content

Commit

Permalink
Merge pull request #2143 from ConnorJC3/gh-actions-perms
Browse files Browse the repository at this point in the history
Add permissions to all GitHub actions
  • Loading branch information
k8s-ci-robot authored Sep 16, 2024
2 parents c1556ac + 11cf5b2 commit 559f8ff
Show file tree
Hide file tree
Showing 8 changed files with 32 additions and 0 deletions.
5 changes: 5 additions & 0 deletions .github/workflows/generate-code-coverage.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@

name: Generate Code Coverage
on: [pull_request]

permissions:
contents: read
# upload-artifact does not need write permissions as it relies on an undocumented token
# https://github.com/actions/upload-artifact/issues/197#issuecomment-832279436

jobs:
cover-base:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/govulncheck.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ on:
pull_request:
branches:
- 'release-*'

permissions:
contents: read

jobs:
govulncheck:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/helm-chart-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,10 @@ on:
paths:
- "charts/**/Chart.yaml"

permissions:
contents: write # Create new release to host chart artifacts
pages: write # Publish chart to pages

jobs:
release:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/output-code-coverage.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ on:
workflow_run:
workflows: [Generate Code Coverage]
types: [completed]

permissions:
contents: read
pull-requests: write # Create/update comment on PRs

jobs:
output-code-coverage:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
# Sequence of patterns matched against refs/tags
tags:
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10

permissions:
contents: write # Create releases

jobs:
build:
name: Release
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/trivy-containers.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@ on:
schedule:
- cron: '0 */24 * * *'

permissions:
contents: read
security-events: write # Update findings in security tab

jobs:
build-matrix:
runs-on: ubuntu-latest
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/trivy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,10 @@ on:
branches:
- master
pull_request:

permissions:
contents: read
security-events: write # Update findings in security tab

jobs:
build:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/unit-tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ on:
branches:
- master
pull_request:

permissions:
contents: read

jobs:
buildx:
Expand Down

0 comments on commit 559f8ff

Please sign in to comment.