chore: Update permissions in GitHub workflows (#26)

sredevopsorg · May 27, 2024 · cc0373a · cc0373a
1 parent f8fcb15
commit cc0373a
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 53 deletions.
diff --git a/.github/workflows/clean_packages.yml b/.github/workflows/clean_packages.yml
@@ -4,11 +4,12 @@ on: workflow_dispatch
 
 permissions:
   contents: read
-  packages: write
-  id-token: write
 
 jobs:
   build-containers:
+    permissions:
+      packages: write
+      id-token: write
     name: Build a few images
     runs-on: ubuntu-latest
     env:

diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -5,15 +5,17 @@ on:
     types: [published, edited]
 
 permissions:
-  contents: write
-  pull-requests: write
-  actions: write
+  contents: read
 
 
 
 
 jobs:
   tag-v1:
+    permissions:
+      contents: write
+      pull-requests: write
+      actions: write
     name: Tag v1
     runs-on: ubuntu-latest
     steps:
@@ -29,6 +31,6 @@ jobs:
           minor_tag="$(python .github/get_version.py "${GITHUB_REF}" minor)"
           git tag $major_tag
           git tag $minor_tag
-          git push origin HEAD:refs/heads/master --tags --force
+          git push origin HEAD:refs/heads/main --tags --force
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,43 +8,15 @@ on:
       - main
 permissions:
   contents: read
-  pull-requests: write
-  issues: write
-  id-token: write
 
 
 
 jobs:
-  linting:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Harden Runner
-        uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
-        with:
-          egress-policy: audit
-
-      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
-      - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
-        with:
-          python-version: "3.11.2"
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
-        id: cache
-        with:
-          path: |
-            .venv
-            ~/.cache/pre-commit
-          key: venv-1
-      - run: |
-          python -m venv .venv --upgrade-deps
-          source .venv/bin/activate
-          pip install pre-commit
-        if: steps.cache.outputs.cache-hit != 'true'
-      - continue-on-error: true
-        run: |
-          source .venv/bin/activate
-          pre-commit run --all-files
-
   test:
+    permissions:
+      pull-requests: write
+      issues: write
+      id-token: write
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
@@ -60,27 +32,18 @@ jobs:
       - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0
         with:
           python-version: "3.11.2"
-      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
-        id: cache
-        with:
-          path: |
-            ~/.local
-            .venv
-          key: ${{ hashFiles('**/poetry.lock') }}-1
 
-      - uses: snok/install-poetry@93ada01c735cc8a383ce0ce2ae205a21c415379b # v1.3.4
-        with:
-          virtualenvs-in-project: true
 
       - name: install dependencies
         id: install-deps
         continue-on-error: true
         run: |
-          poetry config virtualenvs.create true
-          poetry install --no-interaction --no-root
-
-      - run: poetry install --no-interaction --no-root
-        if: steps.cache.outputs.cache-hit != 'true'
+          python3 -m pip install --user pipx
+          python3 -m pipx ensurepath
+          sudo pipx ensurepath --global || true
+          pipx install poetry
+          poetry config virtualenvs.create true || echo "poetry config failed" && exit 1
+          poetry install --no-interaction --no-root || echo "poetry install failed" && exit 1
         
       - run: source $VENV && pytest main_tests.py --cov-report=xml