aws · ellistarn · Oct 24, 2023 · Oct 24, 2023
@@ -6,7 +6,6 @@ on:
 jobs:
   approval-comment:
     if: startsWith(github.event.review.body, '/karpenter snapshot') || startsWith(github.event.review.body, '/karpenter scale') || startsWith(github.event.review.body, '/karpenter conformance')
-    permissions: write-all
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -21,4 +20,7 @@ jobs:
           echo ${{ github.event.pull_request.number }} >> /tmp/artifacts/metadata.txt
           echo ${{ github.event.review.commit_id }} >> /tmp/artifacts/metadata.txt
           cat /tmp/artifacts/metadata.txt
-      - uses: ./.github/actions/upload-artifact
+      - uses: actions/upload-artifact@v3
+        with:
+          name: artifacts
+          path: /tmp/artifacts
@@ -5,9 +5,9 @@ on:
     - cron: '0 13 * * MON'
 
 permissions:
-  id-token: write
-  pull-requests: write
-  contents: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  pull-requests: write # name: Create Pull Request
+  contents: write # name: Create Pull Request
 
 jobs:
   codegen:

@@ -12,9 +12,8 @@ jobs:
     name: Analyze
     runs-on: ubuntu-latest
     permissions:
-      actions: read
-      contents: read
-      security-events: write
+      actions: read # github/codeql-action/init@v2
+      security-events: write # github/codeql-action/init@v2
 
     strategy:
       fail-fast: false

@@ -5,7 +5,7 @@ on:
     branches: [main]
 
 permissions:
-  id-token: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 
 jobs:
   docgen-ci:

@@ -46,9 +46,8 @@ on:
       SLACK_WEBHOOK_URL:
         required: true
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-  statuses: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  statuses: write # ./.github/actions/commit-status/start
 jobs:
   run-suite:
     name: suite-upgrade

@@ -74,9 +74,8 @@ on:
       SLACK_WEBHOOK_URL:
         required: true
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
-  statuses: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  statuses: write # ./.github/actions/commit-status/start
 jobs:
   run-suite:
     name: suite-${{ inputs.suite }}

@@ -5,8 +5,6 @@ on:
     types: [completed]
 permissions:
   id-token: write
-  pull-requests: write
-  contents: write
   statuses: write
 jobs:
   release:

@@ -8,7 +8,7 @@ on:
   schedule:
     - cron: '0 13 * * MON'
 permissions:
-  id-token: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 jobs:
   publish-tools:
     if: github.repository == 'aws/karpenter'

@@ -3,9 +3,9 @@ on:
   push:
     tags: [ 'v*.*.*' ]
 permissions:
-  id-token: write
-  pull-requests: write
-  contents: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
+  contents: write # marvinpinto/action-automatic-releases@latest
+  pull-requests: write # name: Create PR
 jobs:
   release:
     if: github.repository == 'aws/karpenter'

@@ -3,7 +3,7 @@ on:
   push:
     branches: [ main ]
 permissions:
-  id-token: write
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 jobs:
   release:
     if: github.repository == 'aws/karpenter'

@@ -7,9 +7,8 @@ jobs:
   StaleBot:
     runs-on: ubuntu-latest
     permissions:
-      issues: write
-      discussions: write
-      pull-requests: write
+      issues: write # actions/stale@v8.0.0
+      pull-requests: write # actions/stale@v8.0.0
     if: github.repository == 'aws/karpenter'
     name: Stale issue bot
     steps:

@@ -4,8 +4,7 @@ on:
     - cron: '0 */12 * * *'
   workflow_dispatch:
 permissions:
-  id-token: write # This is required for requesting the JWT
-  contents: read  # This is required for actions/checkout
+  id-token: write # aws-actions/configure-aws-credentials@v4.0.1
 jobs:
   sweeper:
     if: vars.ACCOUNT_ID != '' || github.event_name == 'workflow_dispatch'