diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 38085d8..ef75392 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -52,20 +52,28 @@ on: jobs: lint: uses: heathcliff26/ci/.github/workflows/golang-lint.yaml@main + permissions: + contents: read unit-tests: uses: heathcliff26/ci/.github/workflows/golang-unit-tests.yaml@main + permissions: + contents: read with: coveralls: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} validate: uses: heathcliff26/ci/.github/workflows/golang-build.yaml@main + permissions: + contents: read with: cache: false cmd: "make validate" e2e: uses: heathcliff26/ci/.github/workflows/golang-unit-tests.yaml@main + permissions: + contents: read needs: - lint - unit-tests @@ -78,6 +86,8 @@ jobs: build-fleetctl: uses: heathcliff26/ci/.github/workflows/golang-build.yaml@main + permissions: + contents: read needs: - lint - unit-tests @@ -116,6 +126,8 @@ jobs: build-manifests: uses: heathcliff26/ci/.github/workflows/golang-build.yaml@main if: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} + permissions: + contents: read needs: - validate with: diff --git a/.github/workflows/editorconfig-check.yaml b/.github/workflows/editorconfig-check.yaml index d23616c..3c5fc00 100644 --- a/.github/workflows/editorconfig-check.yaml +++ b/.github/workflows/editorconfig-check.yaml @@ -13,3 +13,5 @@ on: jobs: check-editorconfig: uses: heathcliff26/ci/.github/workflows/editorconfig-check.yaml@main + permissions: + contents: read diff --git a/.github/workflows/go-testcover-report.yaml b/.github/workflows/go-testcover-report.yaml index 939dc20..52adb18 100644 --- a/.github/workflows/go-testcover-report.yaml +++ b/.github/workflows/go-testcover-report.yaml @@ -10,5 +10,6 @@ jobs: generate-reports: uses: heathcliff26/ci/.github/workflows/golang-testcover-report.yaml@main secrets: inherit + permissions: {} with: coveralls: true diff --git a/.github/workflows/label-check.yaml b/.github/workflows/label-check.yaml index e066dbc..563daef 100644 --- a/.github/workflows/label-check.yaml +++ b/.github/workflows/label-check.yaml @@ -13,6 +13,6 @@ on: jobs: check-labels: + uses: heathcliff26/ci/.github/workflows/label-check.yaml@main permissions: pull-requests: read - uses: heathcliff26/ci/.github/workflows/label-check.yaml@main diff --git a/.github/workflows/link-check.yaml b/.github/workflows/link-check.yaml index 9bfa3b2..5d80666 100644 --- a/.github/workflows/link-check.yaml +++ b/.github/workflows/link-check.yaml @@ -10,5 +10,6 @@ jobs: check-links: uses: heathcliff26/ci/.github/workflows/link-check.yaml@main secrets: inherit + permissions: {} with: exclude-paths: "vendor" diff --git a/.github/workflows/renovate-config-validator.yaml b/.github/workflows/renovate-config-validator.yaml index 60a14b4..a76879c 100644 --- a/.github/workflows/renovate-config-validator.yaml +++ b/.github/workflows/renovate-config-validator.yaml @@ -20,3 +20,5 @@ on: jobs: validate-renovate-config: uses: heathcliff26/ci/.github/workflows/renovate-config-validator.yaml@main + permissions: + contents: read diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 0b6a5e2..5e248a5 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -27,6 +27,7 @@ env: jobs: prepare: runs-on: ubuntu-latest + permissions: {} outputs: dry-run: ${{ steps.config.outputs.dry-run }} log-level: "${{ steps.config.outputs.log-level }}" @@ -40,6 +41,7 @@ jobs: renovate: needs: prepare uses: heathcliff26/ci/.github/workflows/renovate.yaml@main + permissions: {} with: dry-run: ${{ needs.prepare.outputs.dry-run }} log-level: "${{ needs.prepare.outputs.log-level }}"