security: add permissions block to workflows #38047

reakaleek · 2024-02-17T19:09:10Z

Details

⚠️ This PR was created by an automated tool. Please review the changes carefully. ⚠️

We want to set the default permissions for workflows to read-only for contents.
This is a security measure to prevent accidental changes to the repository.

This change adds a top-level permissions block to all workflows in the .github/workflows directory.

permissions:
  contents: read

In some cases workflows might need more permissions than just contents: read.
Please checkout this branch and add the necessary permissions to the workflows.

If your workflow uses a Personal Access Token (PAT), we can still add the permissions block,
but it will not have any effect.

Merging this PR as is might cause workflows that need more permissions to fail.

If there are any questions, please reach out to the @elastic/observablt-ci

mergify · 2024-02-17T19:09:45Z

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @reakaleek? 🙏.
For such, you'll need to label your PR with:

The upcoming major version of the Elastic Stack
The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

backport-v8./d.0 is the label to automatically backport to the 8./d branch. /d is the digit

elasticmachine · 2024-02-17T19:25:22Z

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

Start Time: 2024-03-26T09:20:42.509+0000
Duration: 16 min 54 sec

Test stats 🧪

Test	Results
Failed	0
Passed	3
Skipped	0
Total	3

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

/test : Re-trigger the build.
/package : Generate the packages and run the E2E tests.
/beats-tester : Run the installation tests with beats-tester.
run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

elasticmachine · 2024-02-19T14:45:27Z

Pinging @elastic/elastic-agent (Team:Elastic-Agent)

v1v · 2024-03-07T17:24:03Z

@Mergifyio rebase

mergify · 2024-03-07T17:24:23Z

rebase

✅ Branch has been successfully rebased

elasticmachine · 2024-03-12T06:22:51Z

💚 Build Succeeded

Buildkite Build
Commit: 84e9f3c

History

💚 Build #1895 succeeded 134ba84
💚 Build #1889 succeeded 674e19a
💚 Build #1453 succeeded a937684

cc @reakaleek

elasticmachine · 2024-03-12T06:22:58Z

💚 Build Succeeded

Buildkite Build
Commit: 84e9f3c

History

💚 Build #3109 succeeded 134ba84
💚 Build #3103 succeeded 674e19a
💚 Build #2667 succeeded a937684

cc @reakaleek

elasticmachine · 2024-03-12T06:23:12Z

💚 Build Succeeded

Buildkite Build
Commit: 84e9f3c

History

💚 Build #1058 succeeded 134ba84
💚 Build #1052 succeeded 674e19a
💚 Build #617 succeeded a937684

cc @reakaleek

elasticmachine · 2024-03-12T06:23:17Z

💚 Build Succeeded

Buildkite Build
Commit: 84e9f3c

History

💚 Build #1902 succeeded 134ba84
💚 Build #1896 succeeded 674e19a
💚 Build #1450 succeeded a937684

cc @reakaleek

elasticmachine · 2024-03-12T06:26:48Z

💔 Build Failed

Buildkite Build
Commit: 84e9f3c

Failed CI Steps

History

💔 Build #3532 failed 134ba84
💔 Build #3526 failed 674e19a
💚 Build #3098 succeeded a937684

cc @reakaleek

elasticmachine · 2024-03-12T06:26:50Z

💔 Build Failed

Buildkite Build
Commit: 84e9f3c

Failed CI Steps

History

💔 Build #2191 failed 134ba84
💔 Build #2185 failed 674e19a
💚 Build #1759 succeeded a937684

cc @reakaleek

.github/workflows/macos-auditbeat.yml

.github/workflows/macos-filebeat.yml

.github/workflows/macos-auditbeat.yml

.github/workflows/macos-heartbeat.yml

.github/workflows/macos-metricbeat.yml

.github/workflows/macos-packetbeat.yml

.github/workflows/macos-xpack-auditbeat.yml

.github/workflows/macos-xpack-filebeat.yml

.github/workflows/macos-xpack-functionbeat.yml

.github/workflows/macos-xpack-heartbeat.yml

.github/workflows/macos-xpack-metricbeat.yml

.github/workflows/macos-xpack-osquerybeat.yml

.github/workflows/macos-xpack-packetbeat.yml

dliappis

LGTM

(cherry picked from commit f502623)

(cherry picked from commit f502623) # Conflicts: # .github/workflows/platform-ingest-project-board.yml # .github/workflows/post-dependabot.yml

reakaleek requested a review from a team as a code owner February 17, 2024 19:09

reakaleek self-assigned this Feb 17, 2024

reakaleek requested review from fearful-symmetry, faec and a team February 17, 2024 19:09

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Feb 17, 2024

v1v approved these changes Feb 19, 2024

View reviewed changes

pierrehilbert added the Team:Elastic-Agent Label for the Agent team label Feb 19, 2024

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Feb 19, 2024

v1v enabled auto-merge (squash) February 20, 2024 11:21

v1v added backport-v7.17.0 Automated backport with mergify backport-v8.13.0 Automated backport with mergify labels Feb 20, 2024

security: add permissions block to workflows

134ba84

v1v force-pushed the gh-oblt/add-permission-block-to-workflows branch from 674e19a to 134ba84 Compare March 7, 2024 17:24

Merge branch 'main' into gh-oblt/add-permission-block-to-workflows

84e9f3c