Apply the principle of least privilege for GitHub workflows (#33534)
Closes #33544 Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>
This commit is contained in:
parent
7b85fc3319
commit
61c6bd5ace
13 changed files with 40 additions and 1 deletions
3
.github/workflows/aurora-delete.yml
vendored
3
.github/workflows/aurora-delete.yml
vendored
|
@ -12,6 +12,9 @@ on:
|
|||
type: string
|
||||
required: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
delete:
|
||||
name: Delete Aurora DB
|
||||
|
|
3
.github/workflows/ci.yml
vendored
3
.github/workflows/ci.yml
vendored
|
@ -22,6 +22,9 @@ defaults:
|
|||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
conditional:
|
||||
|
|
3
.github/workflows/codeql-analysis.yml
vendored
3
.github/workflows/codeql-analysis.yml
vendored
|
@ -22,6 +22,9 @@ defaults:
|
|||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
conditional:
|
||||
|
|
3
.github/workflows/documentation.yml
vendored
3
.github/workflows/documentation.yml
vendored
|
@ -21,6 +21,9 @@ defaults:
|
|||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
conditional:
|
||||
|
|
3
.github/workflows/guides.yml
vendored
3
.github/workflows/guides.yml
vendored
|
@ -21,6 +21,9 @@ defaults:
|
|||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
conditional:
|
||||
|
|
3
.github/workflows/js-ci.yml
vendored
3
.github/workflows/js-ci.yml
vendored
|
@ -21,6 +21,9 @@ defaults:
|
|||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
conditional:
|
||||
name: Check conditional workflows and jobs
|
||||
|
|
3
.github/workflows/label.yml
vendored
3
.github/workflows/label.yml
vendored
|
@ -3,6 +3,9 @@ on:
|
|||
pull_request_target:
|
||||
types: closed
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
label:
|
||||
|
||||
|
|
3
.github/workflows/operator-ci.yml
vendored
3
.github/workflows/operator-ci.yml
vendored
|
@ -23,6 +23,9 @@ concurrency:
|
|||
group: operator-ci-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
conditional:
|
||||
|
|
3
.github/workflows/quarkus-next.yml
vendored
3
.github/workflows/quarkus-next.yml
vendored
|
@ -14,6 +14,9 @@ concurrency:
|
|||
group: quarkus-next-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-quarkus-next-branch:
|
||||
name: Update quarkus-next branch
|
||||
|
|
3
.github/workflows/schedule-nightly.yml
vendored
3
.github/workflows/schedule-nightly.yml
vendored
|
@ -5,6 +5,9 @@ on:
|
|||
- cron: '0 0 * * *'
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
setup:
|
||||
|
|
3
.github/workflows/snyk-analysis.yml
vendored
3
.github/workflows/snyk-analysis.yml
vendored
|
@ -10,6 +10,9 @@ defaults:
|
|||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
analysis:
|
||||
name: Analysis of Quarkus and Operator
|
||||
|
|
3
.github/workflows/trivy-analysis.yml
vendored
3
.github/workflows/trivy-analysis.yml
vendored
|
@ -7,6 +7,9 @@ defaults:
|
|||
run:
|
||||
shell: bash
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
|
||||
analysis:
|
||||
|
|
3
.github/workflows/weblate.yml
vendored
3
.github/workflows/weblate.yml
vendored
|
@ -22,6 +22,9 @@ concurrency:
|
|||
group: weblate-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-weblate:
|
||||
name: Trigger Weblate to pull the latest changes
|
||||
|
|
Loading…
Reference in a new issue