From 8c12536a6a8a751bd648c52029cdbfbb73b43cbd Mon Sep 17 00:00:00 2001 From: Hariharan Subramanian Date: Mon, 22 Jan 2024 15:55:51 +0000 Subject: [PATCH 1/3] updating GHA workflows with permissions --- .github/workflows/acr-build-publish.yml | 1 + .github/workflows/integration-check-install.yml | 1 + .github/workflows/live-test.yml | 1 + .github/workflows/pr-build.yml | 2 ++ .github/workflows/release.yml | 6 ++++++ 5 files changed, 11 insertions(+) diff --git a/.github/workflows/acr-build-publish.yml b/.github/workflows/acr-build-publish.yml index 1c7070a7c..1820e0369 100644 --- a/.github/workflows/acr-build-publish.yml +++ b/.github/workflows/acr-build-publish.yml @@ -23,6 +23,7 @@ jobs: - components: routingmanager imageName: routingmanager runs-on: ubuntu-latest + permissions: read-all environment: ${{ github.event.inputs.environment }} steps: - name: Checkout diff --git a/.github/workflows/integration-check-install.yml b/.github/workflows/integration-check-install.yml index 80ba8ce2e..dbc213138 100644 --- a/.github/workflows/integration-check-install.yml +++ b/.github/workflows/integration-check-install.yml @@ -9,6 +9,7 @@ jobs: matrix: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} + permissions: read-all steps: - uses: actions/checkout@v3 - name: Run Install Script diff --git a/.github/workflows/live-test.yml b/.github/workflows/live-test.yml index 279477bd0..30b58a3cb 100644 --- a/.github/workflows/live-test.yml +++ b/.github/workflows/live-test.yml @@ -4,6 +4,7 @@ on: types: [ok-to-test-command] permissions: id-token: write + contents: read jobs: liveTest: env: diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 949277fe4..7eaba765e 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -4,6 +4,7 @@ on: [workflow_dispatch] jobs: self-contained: runs-on: windows-latest + permissions: read-all strategy: matrix: mode: [osx-x64,linux-x64,win-x64,win-arm64,osx-arm64,linux-arm64] @@ -28,6 +29,7 @@ jobs: dotnet test src\unittest.sln -c Release --no-restore --verbosity normal non-self-contained: runs-on: windows-latest + permissions: read-all strategy: matrix: mode: [osx-x64,linux-x64,win-x64,win-arm64,osx-arm64,linux-arm64] diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 44716f7ca..193ef50cf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,9 @@ on: [workflow_dispatch] jobs: build: runs-on: windows-latest + permissions: + actions: read + contents: write strategy: matrix: mode: [osx-x64,linux-x64,win-x64,win-arm64,osx-arm64,linux-arm64] @@ -74,6 +77,9 @@ jobs: release: runs-on: ubuntu-latest needs: build + permissions: + actions: read + contents: write steps: - uses: actions/checkout@v3 - name: Get Changelog Entry From 39f924e973bc8b8cc03ba2761ab5fbd48c3d1e61 Mon Sep 17 00:00:00 2001 From: Hariharan Subramanian Date: Mon, 22 Jan 2024 16:20:06 +0000 Subject: [PATCH 2/3] try with contents read --- .github/workflows/integration-check-install.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/integration-check-install.yml b/.github/workflows/integration-check-install.yml index dbc213138..4e20f7011 100644 --- a/.github/workflows/integration-check-install.yml +++ b/.github/workflows/integration-check-install.yml @@ -9,7 +9,8 @@ jobs: matrix: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} - permissions: read-all + permissions: + contents: read steps: - uses: actions/checkout@v3 - name: Run Install Script From 84cf15375b0f1afa098f05278452913a4718e1ba Mon Sep 17 00:00:00 2001 From: Hariharan Subramanian Date: Mon, 22 Jan 2024 16:23:50 +0000 Subject: [PATCH 3/3] remove permissions --- .github/workflows/acr-build-publish.yml | 1 - .github/workflows/integration-check-install.yml | 2 -- .github/workflows/live-test.yml | 1 - .github/workflows/pr-build.yml | 2 -- 4 files changed, 6 deletions(-) diff --git a/.github/workflows/acr-build-publish.yml b/.github/workflows/acr-build-publish.yml index 1820e0369..1c7070a7c 100644 --- a/.github/workflows/acr-build-publish.yml +++ b/.github/workflows/acr-build-publish.yml @@ -23,7 +23,6 @@ jobs: - components: routingmanager imageName: routingmanager runs-on: ubuntu-latest - permissions: read-all environment: ${{ github.event.inputs.environment }} steps: - name: Checkout diff --git a/.github/workflows/integration-check-install.yml b/.github/workflows/integration-check-install.yml index 4e20f7011..80ba8ce2e 100644 --- a/.github/workflows/integration-check-install.yml +++ b/.github/workflows/integration-check-install.yml @@ -9,8 +9,6 @@ jobs: matrix: os: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.os }} - permissions: - contents: read steps: - uses: actions/checkout@v3 - name: Run Install Script diff --git a/.github/workflows/live-test.yml b/.github/workflows/live-test.yml index 30b58a3cb..279477bd0 100644 --- a/.github/workflows/live-test.yml +++ b/.github/workflows/live-test.yml @@ -4,7 +4,6 @@ on: types: [ok-to-test-command] permissions: id-token: write - contents: read jobs: liveTest: env: diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml index 7eaba765e..949277fe4 100644 --- a/.github/workflows/pr-build.yml +++ b/.github/workflows/pr-build.yml @@ -4,7 +4,6 @@ on: [workflow_dispatch] jobs: self-contained: runs-on: windows-latest - permissions: read-all strategy: matrix: mode: [osx-x64,linux-x64,win-x64,win-arm64,osx-arm64,linux-arm64] @@ -29,7 +28,6 @@ jobs: dotnet test src\unittest.sln -c Release --no-restore --verbosity normal non-self-contained: runs-on: windows-latest - permissions: read-all strategy: matrix: mode: [osx-x64,linux-x64,win-x64,win-arm64,osx-arm64,linux-arm64]