Skip to content

Commit

Permalink
chore: Audited and documented permissions for gha (#4910)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ellistarn
ellistarn committed Oct 24, 2023
1 parent 0511f5d commit 3be36ee
Show file tree
Hide file tree
Showing 13 changed files with 22 additions and 36 deletions.
9 changes: 0 additions & 9 deletions .github/actions/upload-artifact/action.yaml
View file

This file was deleted.

6 changes: 4 additions & 2 deletions .github/workflows/approval-comment.yaml
View file
Expand Up @@ -6,7 +6,6 @@ on:
jobs:
approval-comment:
if: startsWith(github.event.review.body, '/karpenter snapshot') || startsWith(github.event.review.body, '/karpenter scale') || startsWith(github.event.review.body, '/karpenter conformance')
permissions: write-all
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -21,4 +20,7 @@ jobs:
echo ${{ github.event.pull_request.number }} >> /tmp/artifacts/metadata.txt
echo ${{ github.event.review.commit_id }} >> /tmp/artifacts/metadata.txt
cat /tmp/artifacts/metadata.txt
- uses: ./.github/actions/upload-artifact
- uses: actions/upload-artifact@v3
with:
name: artifacts
path: /tmp/artifacts
6 changes: 3 additions & 3 deletions .github/workflows/codegen.yaml
View file
Expand Up @@ -5,9 +5,9 @@ on:
- cron: '0 13 * * MON'

permissions:
id-token: write
pull-requests: write
contents: write
id-token: write # aws-actions/configure-aws-credentials@v4.0.1
pull-requests: write # name: Create Pull Request
contents: write # name: Create Pull Request

jobs:
codegen:
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/codeql-analysis.yaml
View file
Expand Up @@ -12,9 +12,8 @@ jobs:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
actions: read # github/codeql-action/init@v2
security-events: write # github/codeql-action/init@v2

strategy:
fail-fast: false
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docgen.yaml
View file
Expand Up @@ -5,7 +5,7 @@ on:
branches: [main]

permissions:
id-token: write
id-token: write # aws-actions/configure-aws-credentials@v4.0.1

jobs:
docgen-ci:
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/e2e-upgrade.yaml
View file
Expand Up @@ -46,9 +46,8 @@ on:
SLACK_WEBHOOK_URL:
required: true
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
statuses: write
id-token: write # aws-actions/configure-aws-credentials@v4.0.1
statuses: write # ./.github/actions/commit-status/start
jobs:
run-suite:
name: suite-upgrade
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/e2e.yaml
View file
Expand Up @@ -74,9 +74,8 @@ on:
SLACK_WEBHOOK_URL:
required: true
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
statuses: write
id-token: write # aws-actions/configure-aws-credentials@v4.0.1
statuses: write # ./.github/actions/commit-status/start
jobs:
run-suite:
name: suite-${{ inputs.suite }}
Expand Down
2 changes: 0 additions & 2 deletions .github/workflows/pr-snapshot.yaml
View file
Expand Up @@ -5,8 +5,6 @@ on:
types: [completed]
permissions:
id-token: write
pull-requests: write
contents: write
statuses: write
jobs:
release:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/publish-test-tools.yaml
View file
Expand Up @@ -8,7 +8,7 @@ on:
schedule:
- cron: '0 13 * * MON'
permissions:
id-token: write
id-token: write # aws-actions/configure-aws-credentials@v4.0.1
jobs:
publish-tools:
if: github.repository == 'aws/karpenter'
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/release.yaml
View file
Expand Up @@ -3,9 +3,9 @@ on:
push:
tags: [ 'v*.*.*' ]
permissions:
id-token: write
pull-requests: write
contents: write
id-token: write # aws-actions/configure-aws-credentials@v4.0.1
contents: write # marvinpinto/action-automatic-releases@latest
pull-requests: write # name: Create PR
jobs:
release:
if: github.repository == 'aws/karpenter'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/snapshot.yaml
View file
Expand Up @@ -3,7 +3,7 @@ on:
push:
branches: [ main ]
permissions:
id-token: write
id-token: write # aws-actions/configure-aws-credentials@v4.0.1
jobs:
release:
if: github.repository == 'aws/karpenter'
Expand Down
5 changes: 2 additions & 3 deletions .github/workflows/stale.yaml
View file
Expand Up @@ -7,9 +7,8 @@ jobs:
StaleBot:
runs-on: ubuntu-latest
permissions:
issues: write
discussions: write
pull-requests: write
issues: write # actions/stale@v8.0.0
pull-requests: write # actions/stale@v8.0.0
if: github.repository == 'aws/karpenter'
name: Stale issue bot
steps:
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/sweeper.yaml
View file
Expand Up @@ -4,8 +4,7 @@ on:
- cron: '0 */12 * * *'
workflow_dispatch:
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
id-token: write # aws-actions/configure-aws-credentials@v4.0.1
jobs:
sweeper:
if: vars.ACCOUNT_ID != '' || github.event_name == 'workflow_dispatch'
Expand Down

0 comments on commit 3be36ee

Please sign in to comment.