Apply the principle of least privilege for GitHub workflows (#33534)

Closes #33544

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
This commit is contained in:
Bruno Oliveira da Silva 2024-10-04 09:17:35 -03:00 committed by GitHub
parent 7b85fc3319
commit 61c6bd5ace
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 40 additions and 1 deletions

View file

@ -12,6 +12,9 @@ on:
type: string
required: true
permissions:
contents: read
jobs:
delete:
name: Delete Aurora DB

View file

@ -22,6 +22,9 @@ defaults:
run:
shell: bash
permissions:
contents: read
jobs:
conditional:

View file

@ -22,6 +22,9 @@ defaults:
run:
shell: bash
permissions:
contents: read
jobs:
conditional:

View file

@ -21,6 +21,9 @@ defaults:
run:
shell: bash
permissions:
contents: read
jobs:
conditional:
@ -99,4 +102,4 @@ jobs:
- uses: actions/checkout@v4
- uses: ./.github/actions/status-check
with:
jobs: ${{ toJSON(needs) }}
jobs: ${{ toJSON(needs) }}

View file

@ -21,6 +21,9 @@ defaults:
run:
shell: bash
permissions:
contents: read
jobs:
conditional:

View file

@ -21,6 +21,9 @@ defaults:
run:
shell: bash
permissions:
contents: read
jobs:
conditional:
name: Check conditional workflows and jobs

View file

@ -3,6 +3,9 @@ on:
pull_request_target:
types: closed
permissions:
contents: read
jobs:
label:

View file

@ -23,6 +23,9 @@ concurrency:
group: operator-ci-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
conditional:

View file

@ -14,6 +14,9 @@ concurrency:
group: quarkus-next-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
update-quarkus-next-branch:
name: Update quarkus-next branch

View file

@ -5,6 +5,9 @@ on:
- cron: '0 0 * * *'
workflow_dispatch:
permissions:
contents: read
jobs:
setup:

View file

@ -10,6 +10,9 @@ defaults:
run:
shell: bash
permissions:
contents: read
jobs:
analysis:
name: Analysis of Quarkus and Operator

View file

@ -7,6 +7,9 @@ defaults:
run:
shell: bash
permissions:
contents: read
jobs:
analysis:

View file

@ -22,6 +22,9 @@ concurrency:
group: weblate-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
update-weblate:
name: Trigger Weblate to pull the latest changes