Define permissions following the principle of least privilege #1357
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and test images - Pull Request | ||
| on: | ||
| pull_request: | ||
| paths: | ||
| - '**' | ||
| permissions: read-all | ||
| concurrency: | ||
| group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }} | ||
| cancel-in-progress: true | ||
| env: | ||
| FORCE_COLOR: 1 | ||
| jobs: | ||
| core-ubuntu-22-lts: | ||
| uses: ./.github/workflows/reusable-build-flavor.yaml | ||
| permissions: | ||
| contents: write | ||
| security-events: write | ||
| id-token: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "22.04" | ||
| family: ubuntu | ||
| base_image: ubuntu:22.04 | ||
| model: generic | ||
| variant: core | ||
| arch: amd64 | ||
| core-ubuntu-24-lts: | ||
| uses: ./.github/workflows/reusable-build-flavor.yaml | ||
| permissions: | ||
| contents: write | ||
| security-events: write | ||
| id-token: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| family: ubuntu | ||
| base_image: ubuntu:24.04 | ||
| model: generic | ||
| variant: core | ||
| arch: amd64 | ||
| core-alpine: | ||
| uses: ./.github/workflows/reusable-build-flavor.yaml | ||
| permissions: | ||
| contents: write | ||
| security-events: write | ||
| id-token: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| with: | ||
| flavor: alpine | ||
| flavor_release: "3.19" | ||
| family: alpine | ||
| base_image: alpine:3.19 | ||
| model: generic | ||
| variant: core | ||
| arch: amd64 | ||
| standard: | ||
| uses: ./.github/workflows/reusable-build-provider.yaml | ||
| permissions: | ||
| id-token: write # OIDC support | ||
| contents: write | ||
| security-events: write | ||
| actions: read | ||
| attestations: read | ||
| checks: read | ||
| deployments: read | ||
| discussions: read | ||
| issues: read | ||
| packages: read | ||
| pages: read | ||
| pull-requests: read | ||
| repository-projects: read | ||
| statuses: read | ||
| with: | ||
| flavor: opensuse | ||
| flavor_release: "leap-15.6" | ||
| family: opensuse | ||
| base_image: opensuse/leap:15.6 | ||
| model: generic | ||
| variant: standard | ||
| arch: amd64 | ||
| install: | ||
| uses: ./.github/workflows/reusable-install-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| secureboot: false | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| install-secureboot: | ||
| uses: ./.github/workflows/reusable-install-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| secureboot: true | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| install-alpine: | ||
| uses: ./.github/workflows/reusable-install-test.yaml | ||
| with: | ||
| flavor: alpine | ||
| flavor_release: "3.19" | ||
| needs: | ||
| - core-alpine | ||
| zfs: | ||
| uses: ./.github/workflows/reusable-zfs-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "22.04" | ||
| needs: | ||
| - core-ubuntu-22-lts | ||
| acceptance: | ||
| uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| acceptance-alpine: | ||
| uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml | ||
| with: | ||
| flavor: alpine | ||
| flavor_release: "3.19" | ||
| needs: | ||
| - core-alpine | ||
| bundles: | ||
| uses: ./.github/workflows/reusable-qemu-bundles-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| reset: | ||
| uses: ./.github/workflows/reusable-qemu-reset-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| reset-alpine: | ||
| uses: ./.github/workflows/reusable-qemu-reset-test.yaml | ||
| with: | ||
| flavor: alpine | ||
| flavor_release: "3.19" | ||
| needs: | ||
| - core-alpine | ||
| netboot: | ||
| uses: ./.github/workflows/reusable-qemu-netboot-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| family: ubuntu | ||
| base_image: ubuntu:24.04 | ||
| model: generic | ||
| variant: core | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| netboot-alpine: | ||
| uses: ./.github/workflows/reusable-qemu-netboot-test.yaml | ||
| with: | ||
| flavor: alpine | ||
| flavor_release: "3.19" | ||
| family: alpine | ||
| base_image: alpine:3.19 | ||
| model: generic | ||
| variant: core | ||
| needs: | ||
| - core-alpine | ||
| upgrade: | ||
| uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| upgrade-alpine: | ||
| uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml | ||
| with: | ||
| flavor: alpine | ||
| flavor_release: "3.19" | ||
| needs: | ||
| - core-alpine | ||
| upgrade-latest: | ||
| uses: ./.github/workflows/reusable-upgrade-latest-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| family: "ubuntu" | ||
| release_matcher: "23.10" # introduced so tests can be green while we wait for the kairos release with the latest flavor release | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| # enable once the first alpine only release is out as it currently cannot find the latest alpine release properly | ||
| # upgrade-latest-alpine: | ||
| # uses: ./.github/workflows/reusable-upgrade-latest-test.yaml | ||
| # with: | ||
| # flavor: alpine | ||
| # flavor_release: "3.19" | ||
| # needs: | ||
| # - core-alpine | ||
| custom-partitioning: | ||
|
Check failure on line 251 in .github/workflows/image-pr.yaml
|
||
| uses: ./.github/workflows/reusable-custom-partitioning-test.yaml | ||
| permissions: | ||
| id-token: write # OIDC support | ||
| contents: write | ||
| actions: read | ||
| security-events: write | ||
| with: | ||
| flavor: ${{ matrix.flavor }} | ||
| flavor_release: ${{ matrix.flavorRelease }} | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| flavor: | ||
| - "ubuntu" | ||
| flavorRelease: | ||
| - "24.04" | ||
| encryption: | ||
| uses: ./.github/workflows/reusable-encryption-test.yaml | ||
| with: | ||
| flavor: ubuntu | ||
| flavor_release: "24.04" | ||
| label: ${{ matrix.label }} | ||
| needs: | ||
| - core-ubuntu-24-lts | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| label: | ||
| - "local-encryption" | ||
| - "remote-auto" | ||
| - "remote-static" | ||
| - "remote-https-pinned" | ||
| - "remote-https-bad-cert" | ||
| encryption-alpine: | ||
| uses: ./.github/workflows/reusable-encryption-test.yaml | ||
| with: | ||
| flavor: alpine | ||
| flavor_release: "3.19" | ||
| label: ${{ matrix.label }} | ||
| needs: | ||
| - core-alpine | ||
| strategy: | ||
| fail-fast: true | ||
| matrix: | ||
| label: | ||
| - "local-encryption" | ||
| - "remote-auto" | ||
| - "remote-static" | ||
| - "remote-https-pinned" | ||
| - "remote-https-bad-cert" | ||
