diff --git a/.github/workflows/appengine-analytics.yaml b/.github/workflows/appengine-analytics.yaml index aaf5df0305..2d148c80e4 100644 --- a/.github/workflows/appengine-analytics.yaml +++ b/.github/workflows/appengine-analytics.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-analytics' path: 'appengine/analytics' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-building-an-app-build.yaml b/.github/workflows/appengine-building-an-app-build.yaml index 6a87f850f6..af3476fd85 100644 --- a/.github/workflows/appengine-building-an-app-build.yaml +++ b/.github/workflows/appengine-building-an-app-build.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-building-an-app-build' path: 'appengine/building-an-app/build' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-building-an-app-update.yaml b/.github/workflows/appengine-building-an-app-update.yaml index d6d32e14ce..6e231af758 100644 --- a/.github/workflows/appengine-building-an-app-update.yaml +++ b/.github/workflows/appengine-building-an-app-update.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-building-an-app-update' path: 'appengine/building-an-app/update' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-datastore.yaml b/.github/workflows/appengine-datastore.yaml index 410654f4a5..fb253cc651 100644 --- a/.github/workflows/appengine-datastore.yaml +++ b/.github/workflows/appengine-datastore.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-datastore' path: 'appengine/datastore' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-endpoints.yaml b/.github/workflows/appengine-endpoints.yaml index a26abb28b2..ebb305a425 100644 --- a/.github/workflows/appengine-endpoints.yaml +++ b/.github/workflows/appengine-endpoints.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-endpoints' path: 'appengine/endpoints' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-hello-world-flexible.yaml b/.github/workflows/appengine-hello-world-flexible.yaml index 6f09cba867..7348544787 100644 --- a/.github/workflows/appengine-hello-world-flexible.yaml +++ b/.github/workflows/appengine-hello-world-flexible.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-hello-world-flexible' path: 'appengine/hello-world/flexible' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-hello-world-standard.yaml b/.github/workflows/appengine-hello-world-standard.yaml index 108f0d946b..5ce145f859 100644 --- a/.github/workflows/appengine-hello-world-standard.yaml +++ b/.github/workflows/appengine-hello-world-standard.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-hello-world-standard' path: 'appengine/hello-world/standard' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-memcached.yaml b/.github/workflows/appengine-memcached.yaml index 0006a37c63..693cadf009 100644 --- a/.github/workflows/appengine-memcached.yaml +++ b/.github/workflows/appengine-memcached.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-memcached' path: 'appengine/memcached' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-metadata-flexible.yaml b/.github/workflows/appengine-metadata-flexible.yaml index c17d84512d..97029cc28e 100644 --- a/.github/workflows/appengine-metadata-flexible.yaml +++ b/.github/workflows/appengine-metadata-flexible.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-metadata-flexible' path: 'appengine/metadata/flexible' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-metadata-standard.yaml b/.github/workflows/appengine-metadata-standard.yaml index 666bee9d55..401d789b3b 100644 --- a/.github/workflows/appengine-metadata-standard.yaml +++ b/.github/workflows/appengine-metadata-standard.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-metadata-standard' path: 'appengine/metadata/standard' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-pubsub.yaml b/.github/workflows/appengine-pubsub.yaml index 0d66effb61..c41b95f03c 100644 --- a/.github/workflows/appengine-pubsub.yaml +++ b/.github/workflows/appengine-pubsub.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-pubsub' path: 'appengine/pubsub' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-static-files.yaml b/.github/workflows/appengine-static-files.yaml index a127b5bd7b..a0df7b7abd 100644 --- a/.github/workflows/appengine-static-files.yaml +++ b/.github/workflows/appengine-static-files.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-static-files' path: 'appengine/static-files' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-storage-flexible.yaml b/.github/workflows/appengine-storage-flexible.yaml index 0cb34103f0..f22722156b 100644 --- a/.github/workflows/appengine-storage-flexible.yaml +++ b/.github/workflows/appengine-storage-flexible.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-storage-flexible' path: 'appengine/storage/flexible' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-storage-standard.yaml b/.github/workflows/appengine-storage-standard.yaml index f4b3e28a8f..b1e4e7843b 100644 --- a/.github/workflows/appengine-storage-standard.yaml +++ b/.github/workflows/appengine-storage-standard.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-storage-standard' path: 'appengine/storage/standard' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-twilio.yaml b/.github/workflows/appengine-twilio.yaml index 533f667f34..1b742fbbfb 100644 --- a/.github/workflows/appengine-twilio.yaml +++ b/.github/workflows/appengine-twilio.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-twilio' path: 'appengine/twilio' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-typescript.yaml b/.github/workflows/appengine-typescript.yaml index cd0722c755..fee947734c 100644 --- a/.github/workflows/appengine-typescript.yaml +++ b/.github/workflows/appengine-typescript.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-typescript' path: 'appengine/typescript' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/appengine-websockets.yaml b/.github/workflows/appengine-websockets.yaml index fd21c0f141..27c2d2df5b 100644 --- a/.github/workflows/appengine-websockets.yaml +++ b/.github/workflows/appengine-websockets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'appengine-websockets' path: 'appengine/websockets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/asset-snippets.yaml b/.github/workflows/asset-snippets.yaml index 579d0487c4..cda5bbb27d 100644 --- a/.github/workflows/asset-snippets.yaml +++ b/.github/workflows/asset-snippets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'asset-snippets' path: 'asset/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/auth.yaml b/.github/workflows/auth.yaml index 3fa2c589c6..e364ce5f24 100644 --- a/.github/workflows/auth.yaml +++ b/.github/workflows/auth.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'auth' path: 'auth' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/batch.yaml b/.github/workflows/batch.yaml index 9b5bb6a630..770feb2e94 100644 --- a/.github/workflows/batch.yaml +++ b/.github/workflows/batch.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'batch' path: 'batch' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e19a98daa9..781385c9ff 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -20,6 +20,9 @@ on: name: ci jobs: lint: + permissions: + contents: 'read' + id-token: 'write' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -29,6 +32,9 @@ jobs: - run: npm install - run: npm run lint docs: + permissions: + contents: 'read' + id-token: 'write' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -37,6 +43,9 @@ jobs: paths: "**/*.md" linksToSkip: "localhost" region-tags: + permissions: + contents: 'read' + id-token: 'write' runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/cloud-language.yaml b/.github/workflows/cloud-language.yaml index cc3ca78837..e010226453 100644 --- a/.github/workflows/cloud-language.yaml +++ b/.github/workflows/cloud-language.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'cloud-language' path: 'cloud-language' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/cloud-tasks-snippets.yaml b/.github/workflows/cloud-tasks-snippets.yaml index 793f0e93f0..a240c307b3 100644 --- a/.github/workflows/cloud-tasks-snippets.yaml +++ b/.github/workflows/cloud-tasks-snippets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'cloud-tasks-snippets' path: 'cloud-tasks/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/cloud-tasks-tutorial-gcf-app.yaml b/.github/workflows/cloud-tasks-tutorial-gcf-app.yaml index 6f09768c2e..0333f350e4 100644 --- a/.github/workflows/cloud-tasks-tutorial-gcf-app.yaml +++ b/.github/workflows/cloud-tasks-tutorial-gcf-app.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'cloud-tasks-tutorial-gcf-app' path: 'cloud-tasks/tutorial-gcf/app' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/cloud-tasks-tutorial-gcf-function.yaml b/.github/workflows/cloud-tasks-tutorial-gcf-function.yaml index d0ed79fa0e..71e3edbb80 100644 --- a/.github/workflows/cloud-tasks-tutorial-gcf-function.yaml +++ b/.github/workflows/cloud-tasks-tutorial-gcf-function.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'cloud-tasks-tutorial-gcf-function' path: 'cloud-tasks/tutorial-gcf/function' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/cloudbuild.yaml b/.github/workflows/cloudbuild.yaml index 8884a5359f..48c7a6a781 100644 --- a/.github/workflows/cloudbuild.yaml +++ b/.github/workflows/cloudbuild.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'cloudbuild' path: 'cloudbuild' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/composer-functions-composer-storage-trigger.yaml b/.github/workflows/composer-functions-composer-storage-trigger.yaml index daede79c6c..d47bf81c9a 100644 --- a/.github/workflows/composer-functions-composer-storage-trigger.yaml +++ b/.github/workflows/composer-functions-composer-storage-trigger.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'composer-functions-composer-storage-trigger' path: 'composer/functions/composer-storage-trigger' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/composer.yaml b/.github/workflows/composer.yaml index bb949c47cb..1c838a2547 100644 --- a/.github/workflows/composer.yaml +++ b/.github/workflows/composer.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'composer' path: 'composer' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/compute.yaml b/.github/workflows/compute.yaml index 1c4088ce9a..aaa5676b00 100644 --- a/.github/workflows/compute.yaml +++ b/.github/workflows/compute.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'compute' path: 'compute' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/contact-center-insights.yaml b/.github/workflows/contact-center-insights.yaml index db6d120795..87eedabbb3 100644 --- a/.github/workflows/contact-center-insights.yaml +++ b/.github/workflows/contact-center-insights.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'contact-center-insights' path: 'contact-center-insights' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/container-analysis-snippets.yaml b/.github/workflows/container-analysis-snippets.yaml index 7c08b7d8ea..0b55c14757 100644 --- a/.github/workflows/container-analysis-snippets.yaml +++ b/.github/workflows/container-analysis-snippets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'container-analysis-snippets' path: 'container-analysis/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml index a08c797487..f56ec5f323 100644 --- a/.github/workflows/container.yaml +++ b/.github/workflows/container.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'container' path: 'container/' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/datacatalog-cloud-client.yaml b/.github/workflows/datacatalog-cloud-client.yaml index 6002f28ec7..3684369c82 100644 --- a/.github/workflows/datacatalog-cloud-client.yaml +++ b/.github/workflows/datacatalog-cloud-client.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'datacatalog-cloud-client' path: 'datacatalog/cloud-client' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/datacatalog-quickstart.yaml b/.github/workflows/datacatalog-quickstart.yaml index 9fee7472bb..490b69d7d2 100644 --- a/.github/workflows/datacatalog-quickstart.yaml +++ b/.github/workflows/datacatalog-quickstart.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'datacatalog-quickstart' path: 'datacatalog/quickstart' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/datacatalog-snippets.yaml b/.github/workflows/datacatalog-snippets.yaml index e807c43025..eae469c427 100644 --- a/.github/workflows/datacatalog-snippets.yaml +++ b/.github/workflows/datacatalog-snippets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'datacatalog-snippets' path: 'datacatalog/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/datalabeling.yaml b/.github/workflows/datalabeling.yaml index 6564fce8b8..c0a11a60ab 100644 --- a/.github/workflows/datalabeling.yaml +++ b/.github/workflows/datalabeling.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'datalabeling' path: 'datalabeling' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/dataproc.yaml b/.github/workflows/dataproc.yaml index c054fee96c..3a5ce4cf4a 100644 --- a/.github/workflows/dataproc.yaml +++ b/.github/workflows/dataproc.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'dataproc' path: 'dataproc' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/datastore-functions.yaml b/.github/workflows/datastore-functions.yaml index 1976152972..228690b8b2 100644 --- a/.github/workflows/datastore-functions.yaml +++ b/.github/workflows/datastore-functions.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'datastore-functions' path: 'datastore/functions' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/dialogflow-cx.yaml b/.github/workflows/dialogflow-cx.yaml index c927548f1b..31e8dec3fc 100644 --- a/.github/workflows/dialogflow-cx.yaml +++ b/.github/workflows/dialogflow-cx.yaml @@ -33,6 +33,9 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' runs-on: ubuntu-latest timeout-minutes: 120 @@ -99,12 +102,18 @@ jobs: path: dialogflow-cx/${{ env.MOCHA_REPORTER_OUTPUT }} retention-days: 1 remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/dialogflow.yaml b/.github/workflows/dialogflow.yaml index 1b985ac20d..10a4b1945d 100644 --- a/.github/workflows/dialogflow.yaml +++ b/.github/workflows/dialogflow.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'dialogflow' path: 'dialogflow' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/discoveryengine.yaml b/.github/workflows/discoveryengine.yaml index 4593c92952..5312ed9ced 100644 --- a/.github/workflows/discoveryengine.yaml +++ b/.github/workflows/discoveryengine.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'discoveryengine' path: 'discoveryengine' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/dlp.yaml b/.github/workflows/dlp.yaml index a2e9b4396b..4a0f41c8ab 100644 --- a/.github/workflows/dlp.yaml +++ b/.github/workflows/dlp.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'dlp' path: 'dlp' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/document-ai.yaml b/.github/workflows/document-ai.yaml index 50b6a5a126..b7f29caeb4 100644 --- a/.github/workflows/document-ai.yaml +++ b/.github/workflows/document-ai.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'document-ai' path: 'document-ai' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/endpoints-getting-started-grpc.yaml b/.github/workflows/endpoints-getting-started-grpc.yaml index 5c01ae8f2a..6c99ac2b65 100644 --- a/.github/workflows/endpoints-getting-started-grpc.yaml +++ b/.github/workflows/endpoints-getting-started-grpc.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'endpoints-getting-started-grpc' path: 'endpoints/getting-started-grpc' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/endpoints-getting-started.yaml b/.github/workflows/endpoints-getting-started.yaml index 9510fd6ae6..508bfae98f 100644 --- a/.github/workflows/endpoints-getting-started.yaml +++ b/.github/workflows/endpoints-getting-started.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'endpoints-getting-started' path: 'endpoints/getting-started' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/error-reporting.yaml b/.github/workflows/error-reporting.yaml index 210ebd053e..10d942a89d 100644 --- a/.github/workflows/error-reporting.yaml +++ b/.github/workflows/error-reporting.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'error-reporting' path: 'error-reporting' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/eventarc-generic.yaml b/.github/workflows/eventarc-generic.yaml index d49cf8cf8d..44a10b84af 100644 --- a/.github/workflows/eventarc-generic.yaml +++ b/.github/workflows/eventarc-generic.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'eventarc-generic' path: 'eventarc/generic' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-concepts.yaml b/.github/workflows/functions-concepts.yaml index 9e05009fb6..b6b55b1c22 100644 --- a/.github/workflows/functions-concepts.yaml +++ b/.github/workflows/functions-concepts.yaml @@ -33,6 +33,9 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' strategy: matrix: @@ -49,9 +52,15 @@ jobs: name: 'functions-concepts' path: '${{ matrix.path }}' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-env_vars.yaml b/.github/workflows/functions-env_vars.yaml index 6954632124..c793070170 100644 --- a/.github/workflows/functions-env_vars.yaml +++ b/.github/workflows/functions-env_vars.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-env_vars' path: 'functions/env_vars' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-firebase.yaml b/.github/workflows/functions-firebase.yaml index 5969420366..b4d9c60c1d 100644 --- a/.github/workflows/functions-firebase.yaml +++ b/.github/workflows/functions-firebase.yaml @@ -33,6 +33,9 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' strategy: matrix: @@ -48,12 +51,18 @@ jobs: name: 'functions-firebase' path: '${{ matrix.path }}' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-helloworld.yaml b/.github/workflows/functions-helloworld.yaml index 2468b5568d..2b2179d9de 100644 --- a/.github/workflows/functions-helloworld.yaml +++ b/.github/workflows/functions-helloworld.yaml @@ -33,6 +33,9 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' strategy: matrix: @@ -47,9 +50,15 @@ jobs: name: 'functions-helloworld' path: '${{ matrix.path }}' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-http.yaml b/.github/workflows/functions-http.yaml index ca8f75a855..6369c2efaa 100644 --- a/.github/workflows/functions-http.yaml +++ b/.github/workflows/functions-http.yaml @@ -33,6 +33,9 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' strategy: matrix: @@ -46,9 +49,15 @@ jobs: name: 'functions-http' path: '${{ matrix.path }}' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-log-helloWorld.yaml b/.github/workflows/functions-log-helloWorld.yaml index 0e1d135f17..836dc991a8 100644 --- a/.github/workflows/functions-log-helloWorld.yaml +++ b/.github/workflows/functions-log-helloWorld.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-log-helloWorld' path: 'functions/log/helloWorld' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-log-processEntry.yaml b/.github/workflows/functions-log-processEntry.yaml index c7965df781..85639ee7eb 100644 --- a/.github/workflows/functions-log-processEntry.yaml +++ b/.github/workflows/functions-log-processEntry.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-log-processEntry' path: 'functions/log/processEntry' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-memorystore-redis.yaml b/.github/workflows/functions-memorystore-redis.yaml index 11b099d98b..524e6a8232 100644 --- a/.github/workflows/functions-memorystore-redis.yaml +++ b/.github/workflows/functions-memorystore-redis.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-memorystore-redis' path: 'functions/memorystore/redis' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-pubsub.yaml b/.github/workflows/functions-pubsub.yaml index b470624f79..08790d321a 100644 --- a/.github/workflows/functions-pubsub.yaml +++ b/.github/workflows/functions-pubsub.yaml @@ -33,6 +33,9 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' strategy: matrix: @@ -44,9 +47,15 @@ jobs: name: 'functions-pubsub' path: '${{ matrix.path }}' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-scheduleinstance.yaml b/.github/workflows/functions-scheduleinstance.yaml index 02fa79bbbb..6ac196cef6 100644 --- a/.github/workflows/functions-scheduleinstance.yaml +++ b/.github/workflows/functions-scheduleinstance.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-scheduleinstance' path: 'functions/scheduleinstance' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-security.yaml b/.github/workflows/functions-security.yaml index 16058e2fa5..19a4446f09 100644 --- a/.github/workflows/functions-security.yaml +++ b/.github/workflows/functions-security.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-security' path: 'functions/security' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-slack.yaml b/.github/workflows/functions-slack.yaml index da23415269..c3798cb21b 100644 --- a/.github/workflows/functions-slack.yaml +++ b/.github/workflows/functions-slack.yaml @@ -98,12 +98,18 @@ jobs: path: functions/slack/${{ env.MOCHA_REPORTER_OUTPUT }} retention-days: 1 remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-spanner.yaml b/.github/workflows/functions-spanner.yaml index f5e8887630..5a45db2dd8 100644 --- a/.github/workflows/functions-spanner.yaml +++ b/.github/workflows/functions-spanner.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-spanner' path: 'functions/spanner' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-speech-to-speech-functions.yaml b/.github/workflows/functions-speech-to-speech-functions.yaml index a9a5229eb6..e652af6a5e 100644 --- a/.github/workflows/functions-speech-to-speech-functions.yaml +++ b/.github/workflows/functions-speech-to-speech-functions.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-speech-to-speech-functions' path: 'functions/speech-to-speech/functions' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-tips.yaml b/.github/workflows/functions-tips.yaml index 640a3a9911..b3bbaa4528 100644 --- a/.github/workflows/functions-tips.yaml +++ b/.github/workflows/functions-tips.yaml @@ -33,6 +33,9 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' strategy: matrix: @@ -48,9 +51,15 @@ jobs: name: 'functions-tips' path: '${{ matrix.path }}' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-autolabelinstance.yaml b/.github/workflows/functions-v2-autolabelinstance.yaml index a0e582abcf..e6ab834b06 100644 --- a/.github/workflows/functions-v2-autolabelinstance.yaml +++ b/.github/workflows/functions-v2-autolabelinstance.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-autoLabelInstance' path: 'functions/v2/autoLabelInstance' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-cloudeventlogging.yaml b/.github/workflows/functions-v2-cloudeventlogging.yaml index a97bfc6d31..3cdb797d21 100644 --- a/.github/workflows/functions-v2-cloudeventlogging.yaml +++ b/.github/workflows/functions-v2-cloudeventlogging.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-cloudEventLogging' path: 'functions/v2/cloudEventLogging' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-firebase-firestore-helloFirestore.yaml b/.github/workflows/functions-v2-firebase-firestore-helloFirestore.yaml index b007936a60..427e840c15 100644 --- a/.github/workflows/functions-v2-firebase-firestore-helloFirestore.yaml +++ b/.github/workflows/functions-v2-firebase-firestore-helloFirestore.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-firebase-firestore-helloFirestore' path: 'functions/v2/firebase/firestore/helloFirestore' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-firebase-firestore-makeUpperCase.yaml b/.github/workflows/functions-v2-firebase-firestore-makeUpperCase.yaml index d558243f2f..de6f8c5168 100644 --- a/.github/workflows/functions-v2-firebase-firestore-makeUpperCase.yaml +++ b/.github/workflows/functions-v2-firebase-firestore-makeUpperCase.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-firebase-firestore-makeUpperCase' path: 'functions/v2/firebase/firestore/makeUpperCase' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-firebase-remote-config-helloRemoteConfig.yaml b/.github/workflows/functions-v2-firebase-remote-config-helloRemoteConfig.yaml index c6c705c459..65f16dd78c 100644 --- a/.github/workflows/functions-v2-firebase-remote-config-helloRemoteConfig.yaml +++ b/.github/workflows/functions-v2-firebase-remote-config-helloRemoteConfig.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-firebase-remote-config-helloRemoteConfig' path: 'functions/v2/firebase/remote-config/helloRemoteConfig' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-firebase-rtdb-helloRTDB.yaml b/.github/workflows/functions-v2-firebase-rtdb-helloRTDB.yaml index 979d810a60..dc6bc49b6e 100644 --- a/.github/workflows/functions-v2-firebase-rtdb-helloRTDB.yaml +++ b/.github/workflows/functions-v2-firebase-rtdb-helloRTDB.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-firebase-rtdb-helloRTDB' path: 'functions/v2/firebase/rtdb/helloRTDB' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-helloauditlog.yaml b/.github/workflows/functions-v2-helloauditlog.yaml index 1d5faa665d..f265b30d9d 100644 --- a/.github/workflows/functions-v2-helloauditlog.yaml +++ b/.github/workflows/functions-v2-helloauditlog.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-helloAuditLog' path: 'functions/v2/helloAuditLog' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-hellobigquery.yaml b/.github/workflows/functions-v2-hellobigquery.yaml index ffcc80ba2b..b8499158d5 100644 --- a/.github/workflows/functions-v2-hellobigquery.yaml +++ b/.github/workflows/functions-v2-hellobigquery.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-helloBigQuery' path: 'functions/v2/helloBigQuery' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-hellogcs.yaml b/.github/workflows/functions-v2-hellogcs.yaml index 672136fb97..04fa27d186 100644 --- a/.github/workflows/functions-v2-hellogcs.yaml +++ b/.github/workflows/functions-v2-hellogcs.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-helloGCS' path: 'functions/v2/helloGCS' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-hellopubsub.yaml b/.github/workflows/functions-v2-hellopubsub.yaml index ab74e08e16..9791908d90 100644 --- a/.github/workflows/functions-v2-hellopubsub.yaml +++ b/.github/workflows/functions-v2-hellopubsub.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-helloPubSub' path: 'functions/v2/helloPubSub' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-httplogging.yaml b/.github/workflows/functions-v2-httplogging.yaml index bb37c17388..ea35fa088d 100644 --- a/.github/workflows/functions-v2-httplogging.yaml +++ b/.github/workflows/functions-v2-httplogging.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-httpLogging' path: 'functions/v2/httpLogging' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-log-processEntry.yaml b/.github/workflows/functions-v2-log-processEntry.yaml index 4b07d363db..9a21ae9c89 100644 --- a/.github/workflows/functions-v2-log-processEntry.yaml +++ b/.github/workflows/functions-v2-log-processEntry.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-log-processEntry' path: 'functions/v2/log/processEntry' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-ocr-app.yaml b/.github/workflows/functions-v2-ocr-app.yaml index b27a32e108..e2026edc20 100644 --- a/.github/workflows/functions-v2-ocr-app.yaml +++ b/.github/workflows/functions-v2-ocr-app.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-ocr-app' path: 'functions/v2/ocr/app' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-tips-avoidInfiniteRetries.yaml b/.github/workflows/functions-v2-tips-avoidInfiniteRetries.yaml index 66351d9b64..fc4452014f 100644 --- a/.github/workflows/functions-v2-tips-avoidInfiniteRetries.yaml +++ b/.github/workflows/functions-v2-tips-avoidInfiniteRetries.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-tips-avoidInfiniteRetries' path: 'functions/v2/tips/avoidInfiniteRetries' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/functions-v2-tips-retry.yaml b/.github/workflows/functions-v2-tips-retry.yaml index 878cc4d0ac..fed5c76e1c 100644 --- a/.github/workflows/functions-v2-tips-retry.yaml +++ b/.github/workflows/functions-v2-tips-retry.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'functions-v2-tips-retry' path: 'functions/v2/tips/retry' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/game-servers-snippets.yaml b/.github/workflows/game-servers-snippets.yaml index ed1dd6a6e5..89f6050e53 100644 --- a/.github/workflows/game-servers-snippets.yaml +++ b/.github/workflows/game-servers-snippets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'game-servers-snippets' path: 'game-servers/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/healthcare-consent.yaml b/.github/workflows/healthcare-consent.yaml index 3dbb4c7ae6..d5df8bc7ae 100644 --- a/.github/workflows/healthcare-consent.yaml +++ b/.github/workflows/healthcare-consent.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'healthcare-consent' path: 'healthcare/consent' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/healthcare-datasets.yaml b/.github/workflows/healthcare-datasets.yaml index c8617a0730..0a33150d47 100644 --- a/.github/workflows/healthcare-datasets.yaml +++ b/.github/workflows/healthcare-datasets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'healthcare-datasets' path: 'healthcare/datasets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/healthcare-dicom.yaml b/.github/workflows/healthcare-dicom.yaml index 864700088e..b15905206c 100644 --- a/.github/workflows/healthcare-dicom.yaml +++ b/.github/workflows/healthcare-dicom.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'healthcare-dicom' path: 'healthcare/dicom' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/healthcare-fhir.yaml b/.github/workflows/healthcare-fhir.yaml index e5a86cb627..cf96df5748 100644 --- a/.github/workflows/healthcare-fhir.yaml +++ b/.github/workflows/healthcare-fhir.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'healthcare-fhir' path: 'healthcare/fhir' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/healthcare-hl7v2.yaml b/.github/workflows/healthcare-hl7v2.yaml index 11b5cb0a03..1b3bfa7ad1 100644 --- a/.github/workflows/healthcare-hl7v2.yaml +++ b/.github/workflows/healthcare-hl7v2.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'healthcare-hl7v2' path: 'healthcare/hl7v2' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/kms.yaml b/.github/workflows/kms.yaml index 027166b686..64d03b6828 100644 --- a/.github/workflows/kms.yaml +++ b/.github/workflows/kms.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'kms' path: 'kms' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/media-livestream.yaml b/.github/workflows/media-livestream.yaml index f1f62fc7bc..40eb3e0144 100644 --- a/.github/workflows/media-livestream.yaml +++ b/.github/workflows/media-livestream.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'media-livestream' path: 'media/livestream' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/media-transcoder.yaml b/.github/workflows/media-transcoder.yaml index 9d4f40f31f..bca88f78d1 100644 --- a/.github/workflows/media-transcoder.yaml +++ b/.github/workflows/media-transcoder.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'media-transcoder' path: 'media/transcoder' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/media-video-stitcher.yaml b/.github/workflows/media-video-stitcher.yaml index f2fa9ceda6..f3ee494f7e 100644 --- a/.github/workflows/media-video-stitcher.yaml +++ b/.github/workflows/media-video-stitcher.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'media-video-stitcher' path: 'media/video-stitcher' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/mediatranslation.yaml b/.github/workflows/mediatranslation.yaml index 993b1756bb..5633e060f3 100644 --- a/.github/workflows/mediatranslation.yaml +++ b/.github/workflows/mediatranslation.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'mediatranslation' path: 'mediatranslation' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/monitoring-opencensus.yaml b/.github/workflows/monitoring-opencensus.yaml index 7a1494e558..11a4fad598 100644 --- a/.github/workflows/monitoring-opencensus.yaml +++ b/.github/workflows/monitoring-opencensus.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'monitoring-opencensus' path: 'monitoring/opencensus' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/monitoring-prometheus.yaml b/.github/workflows/monitoring-prometheus.yaml index 4c10e892bb..38aafa994b 100644 --- a/.github/workflows/monitoring-prometheus.yaml +++ b/.github/workflows/monitoring-prometheus.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'monitoring-prometheus' path: 'monitoring/prometheus' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/monitoring-snippets.yaml b/.github/workflows/monitoring-snippets.yaml index 0a06ce8732..ad36c35bc8 100644 --- a/.github/workflows/monitoring-snippets.yaml +++ b/.github/workflows/monitoring-snippets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'monitoring-snippets' path: 'monitoring/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/opencensus.yaml b/.github/workflows/opencensus.yaml index 09e07227a6..91cbad30b3 100644 --- a/.github/workflows/opencensus.yaml +++ b/.github/workflows/opencensus.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'opencensus' path: 'opencensus' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/recaptcha-enterprise.yaml b/.github/workflows/recaptcha-enterprise.yaml index 12fdf412b5..eab5ccb5a3 100644 --- a/.github/workflows/recaptcha-enterprise.yaml +++ b/.github/workflows/recaptcha-enterprise.yaml @@ -33,15 +33,24 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'recaptchaenterprise' path: 'recaptcha_enterprise/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/remove-label.yaml b/.github/workflows/remove-label.yaml index 823156fabb..27279e3b97 100644 --- a/.github/workflows/remove-label.yaml +++ b/.github/workflows/remove-label.yaml @@ -19,6 +19,9 @@ on: jobs: remove_label: + permissions: + contents: 'read' + id-token: 'write' runs-on: ubuntu-latest timeout-minutes: 5 steps: diff --git a/.github/workflows/retail.yaml b/.github/workflows/retail.yaml index a51053fe1a..c2cc85a1d0 100644 --- a/.github/workflows/retail.yaml +++ b/.github/workflows/retail.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'retail' path: 'retail' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/scheduler.yaml b/.github/workflows/scheduler.yaml index e8dc9ef9ad..38f3e835fc 100644 --- a/.github/workflows/scheduler.yaml +++ b/.github/workflows/scheduler.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'scheduler' path: 'scheduler' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/secret-manager.yaml b/.github/workflows/secret-manager.yaml index 8d195d60b7..02b3664eb2 100644 --- a/.github/workflows/secret-manager.yaml +++ b/.github/workflows/secret-manager.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'secret-manager' path: 'secret-manager' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/security-center-snippets.yaml b/.github/workflows/security-center-snippets.yaml index 14ed3378ce..dcbe991b5f 100644 --- a/.github/workflows/security-center-snippets.yaml +++ b/.github/workflows/security-center-snippets.yaml @@ -91,12 +91,18 @@ jobs: path: security-center/snippets/${{ env.MOCHA_REPORTER_OUTPUT }} retention-days: 1 remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/service-directory-snippets.yaml b/.github/workflows/service-directory-snippets.yaml index 298f4a9bb1..b615a737c1 100644 --- a/.github/workflows/service-directory-snippets.yaml +++ b/.github/workflows/service-directory-snippets.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'service-directory-snippets' path: 'service-directory/snippets' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/speech.yaml b/.github/workflows/speech.yaml index 1c7055f133..580eade04d 100644 --- a/.github/workflows/speech.yaml +++ b/.github/workflows/speech.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'speech' path: 'speech' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/talent.yaml b/.github/workflows/talent.yaml index 391fd63d3e..06cf11c0a6 100644 --- a/.github/workflows/talent.yaml +++ b/.github/workflows/talent.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'talent' path: 'talent' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/texttospeech.yaml b/.github/workflows/texttospeech.yaml index 5f73b317bf..09a621dc0a 100644 --- a/.github/workflows/texttospeech.yaml +++ b/.github/workflows/texttospeech.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'texttospeech' path: 'texttospeech' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/translate.yaml b/.github/workflows/translate.yaml index 64a957e55c..b609583d40 100644 --- a/.github/workflows/translate.yaml +++ b/.github/workflows/translate.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'translate' path: 'translate' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/utils/ci.yaml.njk b/.github/workflows/utils/ci.yaml.njk index daaca071f8..ca6d3c37fb 100644 --- a/.github/workflows/utils/ci.yaml.njk +++ b/.github/workflows/utils/ci.yaml.njk @@ -33,18 +33,30 @@ on: - cron: '0 0 * * 0' jobs: test: + # Ref: https://github.com/google-github-actions/auth#usage + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: '{{name}}' path: '{{path}}' remove_label: + # Ref: https://github.com/google-github-actions/auth#usage + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + # Ref: https://github.com/google-github-actions/auth#usage + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/video-intelligence.yaml b/.github/workflows/video-intelligence.yaml index b2c07ebf2a..9bcffe0a47 100644 --- a/.github/workflows/video-intelligence.yaml +++ b/.github/workflows/video-intelligence.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'video-intelligence' path: 'video-intelligence' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/vision-productSearch.yaml b/.github/workflows/vision-productSearch.yaml index bbf5b18ab3..976c3d0194 100644 --- a/.github/workflows/vision-productSearch.yaml +++ b/.github/workflows/vision-productSearch.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'vision-productSearch' path: 'vision/productSearch' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/vision.yaml b/.github/workflows/vision.yaml index bcd63ab118..08c5ee462a 100644 --- a/.github/workflows/vision.yaml +++ b/.github/workflows/vision.yaml @@ -96,12 +96,18 @@ jobs: path: vision/${{ env.MOCHA_REPORTER_OUTPUT }} retention-days: 1 remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/.github/workflows/workflows.yaml b/.github/workflows/workflows.yaml index 440cd3fcde..2f3ee743c7 100644 --- a/.github/workflows/workflows.yaml +++ b/.github/workflows/workflows.yaml @@ -33,18 +33,27 @@ on: - cron: '0 0 * * 0' jobs: test: + permissions: + contents: 'read' + id-token: 'write' if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run' uses: ./.github/workflows/test.yaml with: name: 'workflows' path: 'workflows' remove_label: + permissions: + contents: 'read' + id-token: 'write' if: | github.event.action == 'labeled' && github.event.label.name == 'actions:force-run' && always() uses: ./.github/workflows/remove-label.yaml flakybot: + permissions: + contents: 'read' + id-token: 'write' if: github.event_name == 'schedule' && always() # always() submits logs even if tests fail uses: ./.github/workflows/flakybot.yaml needs: [test] diff --git a/package.json b/package.json index 1bdeb7b32f..1c0d100ca1 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,7 @@ "lint": "gts check", "fix": "gts fix", "test": "echo 'Please run tests in each sample directory.' && exit 1", - "generate-ci": "node .github/workflows/generate.js" + "generate-ci": "node .github/workflows/utils/generate.js" }, "devDependencies": { "c8": "^7.13.0",