Skip to content

Commit

Permalink
chore(ci): fix GHA permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
Zenithar committed May 10, 2023
1 parent 2b22e7f commit ecbd9e8
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 13 deletions.
10 changes: 6 additions & 4 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,17 @@ on:
description: 'Release version'
required: true

permissions:
# Required to stop running workflows
actions: write
packages: write
permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
build-docker-images:
name: Build Docker Images
runs-on: ubuntu-latest
permissions:
# Required to stop running workflows
actions: write
packages: write
steps:
-
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
Expand Down
17 changes: 14 additions & 3 deletions .github/workflows/go.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,15 +21,16 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

permissions:
# Required to stop running workflows
actions: write
permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
# Check if there any dirty change for go mod tidy
go-mod:
name: "Check go modules declaration"
runs-on: ubuntu-latest
permissions:
actions: write
steps:
-
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
Expand Down Expand Up @@ -73,6 +74,8 @@ jobs:
go-version:
- "1.19"
- "1.20"
permissions:
actions: write
runs-on: ubuntu-latest
needs: [golangci-lint, go-mod]
steps:
Expand Down Expand Up @@ -123,6 +126,8 @@ jobs:
golangci-lint:
name: "GolangCI-lint"
runs-on: ubuntu-latest
permissions:
actions: write
steps:
-
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
Expand Down Expand Up @@ -160,6 +165,8 @@ jobs:
name: "Tests (linux)"
needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
runs-on: ubuntu-latest
permissions:
actions: write
steps:
-
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969
Expand Down Expand Up @@ -208,6 +215,8 @@ jobs:
name: "Tests (windows)"
needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
runs-on: windows-latest
permissions:
actions: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
Expand Down Expand Up @@ -251,6 +260,8 @@ jobs:
name: "Tests (darwin)"
needs: [go-mod, compile-dryrun, golangci-lint] # run after golangci-lint action to not produce duplicated errors
runs-on: macos-latest
permissions:
actions: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/releaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,16 +7,17 @@ on:
description: 'Release version'
required: true

permissions:
# Required to stop running workflows
actions: write
permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
release:
runs-on: macos-latest
permissions:
packages: read
contents: write
actions: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,8 @@ on:
schedule:
- cron: '30 0 1,15 * *'

permissions:
# Required to stop running workflows
actions: write
permissions: # added using https://github.com/step-security/secure-repo
contents: read

jobs:
trivy:
Expand All @@ -26,6 +25,7 @@ jobs:
contents: read
security-events: write
pull-requests: read
actions: write

if: (github.actor != 'dependabot[bot]')
steps:
Expand Down

0 comments on commit ecbd9e8

Please sign in to comment.