kairos-io · mauromorales · Jul 1, 2024 · Jun 27, 2024 · Jun 27, 2024 · Jun 27, 2024
diff --git a/.github/workflows/image-arm-pr.yaml b/.github/workflows/image-arm-pr.yaml
@@ -5,6 +5,7 @@ on:
     paths:
       - '**'
 
+permissions: read-all
 concurrency:
   group: ci-arm-${{ github.head_ref || github.ref }}-${{ github.repository }}
   cancel-in-progress: true
@@ -14,6 +15,21 @@ env:
 jobs:
   opensuse:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     with:
       flavor: opensuse
       flavor_release: leap-15.6
@@ -23,6 +39,21 @@ jobs:
       worker: fast
   alpine:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     with:
       flavor: alpine
       flavor_release: "3.19"

diff --git a/.github/workflows/image-arm.yaml b/.github/workflows/image-arm.yaml
@@ -5,6 +5,7 @@ on:
     branches:
       - master
 
+permissions: read-all
 concurrency:
   group: ci-arm-${{ github.head_ref || github.ref }}-${{ github.repository }}
   cancel-in-progress: true
@@ -169,6 +170,21 @@ jobs:
 
   nvidia-arm-core:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     needs: build-nvidia-base
     secrets: inherit
     with:
@@ -181,6 +197,21 @@ jobs:
 
   build-arm-core:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     secrets: inherit
     with:
       flavor: ${{ matrix.flavor }}

diff --git a/.github/workflows/image-pr.yaml b/.github/workflows/image-pr.yaml
@@ -4,6 +4,7 @@ on:
     paths:
       - '**'
 
+permissions: read-all
 concurrency:
   group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }}
   cancel-in-progress: true
@@ -12,6 +13,21 @@ env:
 jobs:
   core-ubuntu-22-lts:
     uses: ./.github/workflows/reusable-build-flavor.yaml
+    permissions:
+      contents: write
+      security-events: write
+      id-token: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     with:
       flavor: ubuntu
       flavor_release: "22.04"
@@ -23,6 +39,21 @@ jobs:
 
   core-ubuntu-24-lts:
     uses: ./.github/workflows/reusable-build-flavor.yaml
+    permissions:
+      contents: write
+      security-events: write
+      id-token: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     with:
       flavor: ubuntu
       flavor_release: "24.04"
@@ -34,6 +65,21 @@ jobs:
 
   core-alpine:
     uses: ./.github/workflows/reusable-build-flavor.yaml
+    permissions:
+      contents: write
+      security-events: write
+      id-token: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     with:
       flavor: alpine
       flavor_release: "3.19"
@@ -45,6 +91,21 @@ jobs:
 
   standard:
     uses: ./.github/workflows/reusable-build-provider.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     with:
       flavor: opensuse
       flavor_release: "leap-15.6"
@@ -189,6 +250,21 @@ jobs:
 
   custom-partitioning:
     uses: ./.github/workflows/reusable-custom-partitioning-test.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     with:
       flavor: ${{ matrix.flavor }}
       flavor_release: ${{ matrix.flavorRelease }}

diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml
@@ -6,6 +6,7 @@ on:
     paths:
       - '**'
 
+permissions: read-all
 concurrency:
   group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }}
   cancel-in-progress: true
@@ -35,6 +36,21 @@ jobs:
           echo "::set-output name=matrix::{\"include\": $content }"
   core:
     uses: ./.github/workflows/reusable-build-flavor.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     secrets: inherit
     with:
       flavor: ${{ matrix.flavor }}
@@ -267,6 +283,21 @@ jobs:
           - "leap-15.6"
   standard:
     uses: ./.github/workflows/reusable-build-provider.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     secrets: inherit
     with:
       flavor: ${{ matrix.flavor }}

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -6,6 +6,7 @@ on:
   pull_request:
     paths:
       - '**'
+permissions: read-all
 env:
   FORCE_COLOR: 1
 jobs:

diff --git a/.github/workflows/release-arm.yaml b/.github/workflows/release-arm.yaml
@@ -3,6 +3,7 @@ on:
   push:
     tags:
       - 'v*'
+permissions: read-all
 jobs:
   get-core-matrix:
     runs-on: ubuntu-latest
@@ -141,6 +142,21 @@ jobs:
 
   nvidia-arm-core:
     uses: ./.github/workflows/reusable-docker-arm-build.yaml
+    permissions:
+      id-token: write  # OIDC support
+      contents: write
+      security-events: write
+      actions: read
+      attestations: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
     needs: build-nvidia-base
     secrets: inherit
     with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,6 +6,7 @@ on:
     tags:
       - v*
 
+permissions: read-all
 jobs:
   get-core-matrix:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reusable-build-flavor.yaml b/.github/workflows/reusable-build-flavor.yaml
@@ -25,6 +25,7 @@ on:
         required: true
         type: string
 
+permissions: read-all
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reusable-build-provider.yaml b/.github/workflows/reusable-build-provider.yaml
@@ -25,6 +25,7 @@ on:
         required: true
         type: string
 
+permissions: read-all
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reusable-custom-partitioning-test.yaml b/.github/workflows/reusable-custom-partitioning-test.yaml
@@ -10,6 +10,7 @@ on:
         required: true
         type: string
 
+permissions: read-all
 jobs:
   test:
     runs-on: fast

diff --git a/.github/workflows/reusable-docker-arm-build.yaml b/.github/workflows/reusable-docker-arm-build.yaml
@@ -26,6 +26,7 @@ on:
         required: true
         type: string
 
+permissions: read-all
 jobs:
   build:
     runs-on: ${{ inputs.worker }}

diff --git a/.github/workflows/reusable-encryption-test.yaml b/.github/workflows/reusable-encryption-test.yaml
@@ -13,6 +13,7 @@ on:
         required: true
         type: string
 
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reusable-image-and-iso-arm-generic.yaml b/.github/workflows/reusable-image-and-iso-arm-generic.yaml
@@ -19,6 +19,7 @@ on:
         required: true
         type: string
 
+permissions: read-all
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/reusable-install-test.yaml b/.github/workflows/reusable-install-test.yaml
@@ -13,6 +13,7 @@ on:
         required: false
         type: boolean
 
+permissions: read-all
 jobs:
   test:
     runs-on: kvm

diff --git a/.github/workflows/reusable-provider-tests.yaml b/.github/workflows/reusable-provider-tests.yaml
@@ -13,6 +13,7 @@ on:
         required: true
         type: string
 
+permissions: read-all
 jobs:
   test:
     runs-on: fast

diff --git a/.github/workflows/reusable-provider-upgrade-latest-test.yaml b/.github/workflows/reusable-provider-upgrade-latest-test.yaml
@@ -16,6 +16,7 @@ on:
         required: false
         type: string
 
+permissions: read-all
 jobs:
   test:
     runs-on: kvm

diff --git a/.github/workflows/reusable-qemu-acceptance-test.yaml b/.github/workflows/reusable-qemu-acceptance-test.yaml
@@ -13,6 +13,7 @@ on:
         required: false
         type: string
 
+permissions: read-all
 jobs:
   test:
     runs-on: ubuntu-latest
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,7 @@ on: @@
       pull_request:
         paths:
           - '**'
+    permissions: read-all
     env:
       FORCE_COLOR: 1
     jobs:
@@ Expand Down @@