diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index f1a089f67d..e76f0cef80 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -1,5 +1,6 @@ name: Check formatting with Black - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/checkbox-beta-release.yml b/.github/workflows/checkbox-beta-release.yml index 069237259d..b5fd5bd3d1 100644 --- a/.github/workflows/checkbox-beta-release.yml +++ b/.github/workflows/checkbox-beta-release.yml @@ -1,6 +1,8 @@ name: Beta version of checkbox run-name: Promote edge versions of checkbox to beta - +permissions: + contents: read + actions: read # used by can_promote_edge.py to query past daily builds on: push: branches: diff --git a/.github/workflows/checkbox-ce-oem-daily-build.yml b/.github/workflows/checkbox-ce-oem-daily-build.yml index 687a246303..dbd12af084 100644 --- a/.github/workflows/checkbox-ce-oem-daily-build.yml +++ b/.github/workflows/checkbox-ce-oem-daily-build.yml @@ -1,5 +1,7 @@ name: checkbox-ce-oem daily builds - +permissions: + contents: read + actions: read # used by gh api on: schedule: - cron: '00 21 * * *' @@ -41,4 +43,6 @@ jobs: needs: check_for_commits if: ${{ needs.check_for_commits.outputs.new_commit_count > 0 || github.event_name == 'workflow_dispatch' }} uses: ./.github/workflows/checkbox-ce-oem-edge-builds.yml - secrets: inherit + secrets: + SNAPCRAFT7_CREDS: ${{ secrets.SNAPCRAFT7_CREDS }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/checkbox-ce-oem-edge-builds.yml b/.github/workflows/checkbox-ce-oem-edge-builds.yml index 2d6f56a326..ee8066b51e 100644 --- a/.github/workflows/checkbox-ce-oem-edge-builds.yml +++ b/.github/workflows/checkbox-ce-oem-edge-builds.yml @@ -1,8 +1,14 @@ name: checkbox-ce-oem snap edge build - +permissions: + contents: read on: workflow_dispatch: workflow_call: + secrets: + SNAPCRAFT7_CREDS: + required: true + GITHUB_TOKEN: + required: true jobs: snap: diff --git a/.github/workflows/checkbox-daily-cross-builds.yaml b/.github/workflows/checkbox-daily-cross-builds.yaml index 499ed98960..8560ec38f8 100644 --- a/.github/workflows/checkbox-daily-cross-builds.yaml +++ b/.github/workflows/checkbox-daily-cross-builds.yaml @@ -1,5 +1,6 @@ name: Checkbox Snap daily cross-builds - +permissions: + contents: read on: workflow_dispatch: inputs: @@ -15,7 +16,11 @@ on: default: false required: false type: boolean - + secrets: + SNAPCRAFT7_CREDS: + required: true + GITHUB_TOKEN: + required: true jobs: snap-runtime: strategy: diff --git a/.github/workflows/checkbox-daily-native-builds.yaml b/.github/workflows/checkbox-daily-native-builds.yaml index f55f4de701..5476910b43 100644 --- a/.github/workflows/checkbox-daily-native-builds.yaml +++ b/.github/workflows/checkbox-daily-native-builds.yaml @@ -1,5 +1,6 @@ name: Checkbox Snap daily native builds - +permissions: + contents: read on: workflow_dispatch: inputs: @@ -15,6 +16,11 @@ on: default: false required: false type: boolean + secrets: + SNAPCRAFT7_CREDS: + required: true + GITHUB_TOKEN: + required: true jobs: snap_runtime_native: diff --git a/.github/workflows/checkbox-promote-beta-to-candidate.yml b/.github/workflows/checkbox-promote-beta-to-candidate.yml index 8d84e89006..6407b41805 100644 --- a/.github/workflows/checkbox-promote-beta-to-candidate.yml +++ b/.github/workflows/checkbox-promote-beta-to-candidate.yml @@ -1,6 +1,8 @@ name: Promote Checkbox beta to candidate on: workflow_dispatch: +permissions: + contents: read jobs: checkbox-promotion-beta-to-candidate-test: diff --git a/.github/workflows/checkbox-stable-release.yml b/.github/workflows/checkbox-stable-release.yml index 76d01144af..ce2b1e266c 100644 --- a/.github/workflows/checkbox-stable-release.yml +++ b/.github/workflows/checkbox-stable-release.yml @@ -1,5 +1,7 @@ name: Stable version of checkbox run-name: Promote beta versions of checkbox to stable +permissions: + contents: read # write used to create the release on: workflow_dispatch: @@ -18,6 +20,8 @@ jobs: - jammy - large - X64 + permissions: + contents: write steps: - name: Checkout checkbox monorepo uses: actions/checkout@v4 diff --git a/.github/workflows/checkbox-tics.yml b/.github/workflows/checkbox-tics.yml index 4134620ae6..1af4d82533 100644 --- a/.github/workflows/checkbox-tics.yml +++ b/.github/workflows/checkbox-tics.yml @@ -1,10 +1,8 @@ name: TICS Code Quality Analysis - on: schedule: - cron: '00 19 * * *' workflow_dispatch: - permissions: contents: read diff --git a/.github/workflows/daily-builds.yml b/.github/workflows/daily-builds.yml index 181481878d..4ec2467307 100644 --- a/.github/workflows/daily-builds.yml +++ b/.github/workflows/daily-builds.yml @@ -1,5 +1,7 @@ name: Daily builds - +permissions: + contents: read + actions: read # used by gh api on: schedule: - cron: '00 18 * * *' @@ -41,7 +43,9 @@ jobs: needs: check_for_commits if: ${{ needs.check_for_commits.outputs.new_commit_count > 0 || github.event_name == 'workflow_dispatch' }} uses: ./.github/workflows/checkbox-daily-cross-builds.yaml - secrets: inherit + secrets: + SNAPCRAFT7_CREDS: ${{ secrets.SNAPCRAFT7_CREDS }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: store_upload: true @@ -49,7 +53,9 @@ jobs: needs: check_for_commits if: ${{ needs.check_for_commits.outputs.new_commit_count > 0 || github.event_name == 'workflow_dispatch' }} uses: ./.github/workflows/checkbox-daily-native-builds.yaml - secrets: inherit + secrets: + SNAPCRAFT7_CREDS: ${{ secrets.SNAPCRAFT7_CREDS }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: store_upload: true @@ -57,4 +63,6 @@ jobs: needs: check_for_commits if: ${{ needs.check_for_commits.outputs.new_commit_count > 0 || github.event_name == 'workflow_dispatch' }} uses: ./.github/workflows/deb-daily-builds.yml - secrets: inherit + secrets: + LP_CREDS: ${{ secrets.LP_CREDS }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/deb-daily-builds.yml b/.github/workflows/deb-daily-builds.yml index 683d6bd411..a6060a15f3 100644 --- a/.github/workflows/deb-daily-builds.yml +++ b/.github/workflows/deb-daily-builds.yml @@ -1,9 +1,14 @@ name: Debian packages daily build - +permissions: + contents: read on: workflow_dispatch: workflow_call: - + secrets: + LP_CREDS: + required: true + GITHUB_TOKEN: + required: true jobs: ppa_update: name: Sync PPA history with monorepo diff --git a/.github/workflows/deb-sanity-builds.yml b/.github/workflows/deb-sanity-builds.yml index 210cca49e3..f251644606 100644 --- a/.github/workflows/deb-sanity-builds.yml +++ b/.github/workflows/deb-sanity-builds.yml @@ -1,5 +1,6 @@ name: Sanity Debian package build - +permissions: + contents: read on: schedule: - cron: '00 14 * * *' diff --git a/.github/workflows/deb_validator.yaml b/.github/workflows/deb_validator.yaml index 4ea992f66c..d8c45215c3 100644 --- a/.github/workflows/deb_validator.yaml +++ b/.github/workflows/deb_validator.yaml @@ -1,5 +1,8 @@ name: Verify debian packages +permissions: + contents: read + on: push: branches: [ main ] diff --git a/.github/workflows/dispatch_lab_job.yaml b/.github/workflows/dispatch_lab_job.yaml index e3c0c53c7a..4147375ad4 100644 --- a/.github/workflows/dispatch_lab_job.yaml +++ b/.github/workflows/dispatch_lab_job.yaml @@ -1,4 +1,6 @@ name: Dispatch Checkbox jobs in the lab +permissions: + contents: read on: workflow_dispatch: inputs: diff --git a/.github/workflows/documentation-check.yml b/.github/workflows/documentation-check.yml index 028d27643d..7e24718012 100644 --- a/.github/workflows/documentation-check.yml +++ b/.github/workflows/documentation-check.yml @@ -1,5 +1,6 @@ name: Automatic documentation checks - +permissions: + contents: read on: pull_request: paths: diff --git a/.github/workflows/label-cert-blocker-issue.yaml b/.github/workflows/label-cert-blocker-issue.yaml index 8aab317916..35da4c8ff4 100644 --- a/.github/workflows/label-cert-blocker-issue.yaml +++ b/.github/workflows/label-cert-blocker-issue.yaml @@ -1,5 +1,4 @@ name: Label issue related to cert-blocker test cases - on: issues: types: [opened] diff --git a/.github/workflows/metabox.yaml b/.github/workflows/metabox.yaml index 581785f569..11d77b32a8 100644 --- a/.github/workflows/metabox.yaml +++ b/.github/workflows/metabox.yaml @@ -1,5 +1,8 @@ name: Run Metabox when PR is approved +permissions: + contents: read + on: pull_request_review: types: [submitted] diff --git a/.github/workflows/pr_validation.yaml b/.github/workflows/pr_validation.yaml index 143c471d1f..6f0b0cb1a9 100644 --- a/.github/workflows/pr_validation.yaml +++ b/.github/workflows/pr_validation.yaml @@ -1,10 +1,13 @@ name: PR Validation +permissions: + contents: read on: pull_request: types: - opened - synchronize - edited + jobs: validate_title: runs-on: ubuntu-latest diff --git a/.github/workflows/testflinger-contrib-dss-regression.yaml b/.github/workflows/testflinger-contrib-dss-regression.yaml index a3dbdd67ee..2623def176 100644 --- a/.github/workflows/testflinger-contrib-dss-regression.yaml +++ b/.github/workflows/testflinger-contrib-dss-regression.yaml @@ -1,4 +1,6 @@ name: Data Science Stack (DSS) Regression Testing +permissions: + contents: read on: workflow_dispatch: # schedule: diff --git a/.github/workflows/tox-checkbox-ng.yaml b/.github/workflows/tox-checkbox-ng.yaml index ac8f851f8f..ff570fecd5 100644 --- a/.github/workflows/tox-checkbox-ng.yaml +++ b/.github/workflows/tox-checkbox-ng.yaml @@ -1,5 +1,6 @@ name: Test checkbox-ng with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-checkbox-support.yaml b/.github/workflows/tox-checkbox-support.yaml index 9962919e4d..1ffe7ec349 100644 --- a/.github/workflows/tox-checkbox-support.yaml +++ b/.github/workflows/tox-checkbox-support.yaml @@ -1,5 +1,6 @@ name: Test checkbox-support with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-contrib-pc-sanity.yaml b/.github/workflows/tox-contrib-pc-sanity.yaml index 958d6c6e16..fb23840f59 100644 --- a/.github/workflows/tox-contrib-pc-sanity.yaml +++ b/.github/workflows/tox-contrib-pc-sanity.yaml @@ -1,5 +1,6 @@ name: Test pc-sanity (from contrib area) with tox - +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/tox-contrib-provider-ce-oem.yaml b/.github/workflows/tox-contrib-provider-ce-oem.yaml index 99e05be712..938f58061e 100644 --- a/.github/workflows/tox-contrib-provider-ce-oem.yaml +++ b/.github/workflows/tox-contrib-provider-ce-oem.yaml @@ -1,5 +1,6 @@ name: Test provider-ce-oem (from contrib area) with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-contrib-provider-dss.yaml b/.github/workflows/tox-contrib-provider-dss.yaml index c0a26722f2..61cd5073f4 100644 --- a/.github/workflows/tox-contrib-provider-dss.yaml +++ b/.github/workflows/tox-contrib-provider-dss.yaml @@ -1,5 +1,6 @@ name: Test checkbox-provider-dss (from contrib area) with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-base.yaml b/.github/workflows/tox-provider-base.yaml index accd5ecb6c..f979c795c3 100644 --- a/.github/workflows/tox-provider-base.yaml +++ b/.github/workflows/tox-provider-base.yaml @@ -1,5 +1,6 @@ name: Test provider-base with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-certification-client.yaml b/.github/workflows/tox-provider-certification-client.yaml index 8f1eb313da..4049c561b2 100644 --- a/.github/workflows/tox-provider-certification-client.yaml +++ b/.github/workflows/tox-provider-certification-client.yaml @@ -1,5 +1,6 @@ name: Test provider-certification-client with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-certification-server.yaml b/.github/workflows/tox-provider-certification-server.yaml index 736053c751..830901c088 100644 --- a/.github/workflows/tox-provider-certification-server.yaml +++ b/.github/workflows/tox-provider-certification-server.yaml @@ -1,5 +1,6 @@ name: Test provider-certification-server with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-docker.yaml b/.github/workflows/tox-provider-docker.yaml index 6ea7bbbf78..4de5578ca4 100644 --- a/.github/workflows/tox-provider-docker.yaml +++ b/.github/workflows/tox-provider-docker.yaml @@ -1,5 +1,6 @@ name: Test provider-docker with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-genio.yaml b/.github/workflows/tox-provider-genio.yaml index ce6b911956..2d968245f0 100644 --- a/.github/workflows/tox-provider-genio.yaml +++ b/.github/workflows/tox-provider-genio.yaml @@ -1,5 +1,6 @@ name: Test provider-genio with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-gpgpu.yaml b/.github/workflows/tox-provider-gpgpu.yaml index aae3819e82..0073e80ff4 100644 --- a/.github/workflows/tox-provider-gpgpu.yaml +++ b/.github/workflows/tox-provider-gpgpu.yaml @@ -1,5 +1,6 @@ name: Test provider-gpgpu with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-iiotg.yaml b/.github/workflows/tox-provider-iiotg.yaml index df4d2208fc..3050022507 100644 --- a/.github/workflows/tox-provider-iiotg.yaml +++ b/.github/workflows/tox-provider-iiotg.yaml @@ -1,5 +1,6 @@ name: Test Intel IOTG provider with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-resource.yaml b/.github/workflows/tox-provider-resource.yaml index fbf48a7e6d..fccce30f1f 100644 --- a/.github/workflows/tox-provider-resource.yaml +++ b/.github/workflows/tox-provider-resource.yaml @@ -1,5 +1,6 @@ name: Test provider-resource with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-sru.yaml b/.github/workflows/tox-provider-sru.yaml index 5803fdf2b1..128e25d582 100644 --- a/.github/workflows/tox-provider-sru.yaml +++ b/.github/workflows/tox-provider-sru.yaml @@ -1,5 +1,6 @@ name: Test provider-sru with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-tpm2.yaml b/.github/workflows/tox-provider-tpm2.yaml index a016c322db..77f9f74e29 100644 --- a/.github/workflows/tox-provider-tpm2.yaml +++ b/.github/workflows/tox-provider-tpm2.yaml @@ -1,5 +1,6 @@ name: Test provider-tpm2 with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-provider-tutorial.yaml b/.github/workflows/tox-provider-tutorial.yaml index 5dbc87d25a..5ab9420bef 100644 --- a/.github/workflows/tox-provider-tutorial.yaml +++ b/.github/workflows/tox-provider-tutorial.yaml @@ -1,5 +1,6 @@ name: Test provider-tutorial with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/tox-tools-release.yaml b/.github/workflows/tox-tools-release.yaml index 2b1198ac35..33ef21c635 100644 --- a/.github/workflows/tox-tools-release.yaml +++ b/.github/workflows/tox-tools-release.yaml @@ -1,5 +1,6 @@ name: Test release tools with tox - +permissions: + contents: read on: push: branches: [ main ] diff --git a/.github/workflows/validate_workflows.yaml b/.github/workflows/validate_workflows.yaml index f38b94cfdd..87f891ab2e 100644 --- a/.github/workflows/validate_workflows.yaml +++ b/.github/workflows/validate_workflows.yaml @@ -1,5 +1,6 @@ name: Workflow validation - +permissions: + contents: read on: push: paths: @@ -35,7 +36,7 @@ jobs: uses: baptiste0928/cargo-install@v3 with: crate: zizmor - version: '0.10.0' + version: '1.4.1' - name: Scan all workflows env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}