mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 02:18:15 +00:00
Code Activity

fix: reduce token permissions (#7721)

Browse source 
* fix: reduce token permissions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: reduce token permissions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-30 13:44:57 +02:00 committed by GitHub
parent 50c5d55034
commit 6cb54a475c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 36 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/check-actions.yaml vendored
View file

@ -1,5 +1,7 @@
name: Check actions
permissions: {}
on:
push:
branches:
@ -9,8 +11,6 @@ on:
- 'main'
- 'release*'
permissions: {}
jobs:
check:
runs-on: ubuntu-latest

4
.github/workflows/cli.yaml vendored
View file

@ -1,5 +1,7 @@
name: cli
permissions: {}
on:
push:
branches:
@ -10,8 +12,6 @@ on:
- 'main'
- 'release*'
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

4
.github/workflows/codecov.yaml vendored
View file

@ -1,5 +1,7 @@
name: Codecov
permissions: {}
on:
push:
branches:
@ -9,8 +11,6 @@ on:
- 'main'
- 'release*'
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

4
.github/workflows/comment-commands.yaml vendored
View file

@ -1,13 +1,13 @@
name: Issue and PR comment commands
permissions: {}
on:
issue_comment:
types:
- created
- edited
permissions: {}
jobs:
execute:
runs-on: ubuntu-latest

14
.github/workflows/conformance.yaml vendored
View file

@ -1,13 +1,13 @@
name: Conformance tests
permissions: {}
on:
pull_request:
branches:
- 'main'
- 'release*'
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
@ -15,8 +15,6 @@ concurrency:
jobs:
prepare-images:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@ -37,8 +35,6 @@ jobs:
# runs conformance test suites with configuration:
standard:
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
@ -110,8 +106,6 @@ jobs:
# runs conformance test suites with configuration:
force-failure-policy-ignore:
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
@ -168,8 +162,6 @@ jobs:
# runs conformance test suites with configuration:
default:
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:
@ -224,8 +216,6 @@ jobs:
# runs conformance test suites with configuration:
policy-library:
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
fail-fast: false
matrix:

6
.github/workflows/fossa.yml vendored
View file

@ -1,12 +1,12 @@
name: FOSSA
permissions: {}
on:
push:
branches:
- main
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
@ -14,8 +14,6 @@ concurrency:
jobs:
fossa-scan:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

2
.github/workflows/helm-release.yaml vendored
View file

@ -1,5 +1,7 @@
name: helm-release
permissions: {}
on:
push:
tags:

4
.github/workflows/helm-test.yaml vendored
View file

@ -1,5 +1,7 @@
name: helm-test
permissions: {}
on:
pull_request:
branches:
@ -9,8 +11,6 @@ on:
- charts/**
- .github/workflows/helm-test.yaml
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

6
.github/workflows/images-build.yaml vendored
View file

@ -1,5 +1,7 @@
name: Build images
permissions: {}
on:
push:
branches:
@ -9,13 +11,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
build-images:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

5
.github/workflows/images-publish.yaml vendored
View file

@ -1,5 +1,7 @@
name: Publish images
permissions: {}
on:
push:
branches:
@ -10,13 +12,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
publish-images:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
outputs:

5
.github/workflows/lint.yaml vendored
View file

@ -1,5 +1,7 @@
name: Lint
permissions: {}
on:
push:
branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
tests:
runs-on: ubuntu-latest

5
.github/workflows/nancy.yaml vendored
View file

@ -1,5 +1,7 @@
name: Nancy
permissions: {}
on:
push:
branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
nancy:
runs-on: ubuntu-latest

6
.github/workflows/pr-update.yaml vendored
View file

@ -1,17 +1,15 @@
name: PR update
permissions: {}
on:
push:
branches:
- 'main'
- 'release-*'
permissions: {}
jobs:
autoupdate:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Checkout

1
.github/workflows/release.yaml vendored
View file

@ -9,7 +9,6 @@ jobs:
release-images:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
outputs:

7
.github/workflows/report-on-vulnerabilities.yaml vendored
View file

@ -1,12 +1,12 @@
name: report-on-vulnerabilities
permissions: {}
on:
workflow_dispatch: {}
schedule:
- cron: '23 2 * * *' # Every day at 02:23
permissions: {}
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
@ -14,8 +14,6 @@ env:
jobs:
scan:
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
results: ${{ steps.parse-results.outputs.results }}
steps:
@ -55,7 +53,6 @@ jobs:
if: needs.scan.outputs.results == 'found'
needs: scan
permissions:
contents: read
issues: write
steps:
- name: Checkout

4
.github/workflows/scorecard.yaml vendored
View file

@ -1,5 +1,7 @@
name: Scorecards supply-chain security
permissions: {}
on:
schedule:
- cron: '30 1 * * 6'
@ -7,8 +9,6 @@ on:
branches:
- main
permissions: read-all
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

5
.github/workflows/sonarcloud.yaml vendored
View file

@ -1,5 +1,7 @@
name: Sonarcloud workflow
permissions: {}
on:
push:
branches:
@ -10,9 +12,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
sonarcloud:
runs-on: ubuntu-latest

5
.github/workflows/tests.yaml vendored
View file

@ -1,5 +1,7 @@
name: Tests
permissions: {}
on:
push:
branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
tests:
runs-on: ubuntu-latest

5
.github/workflows/verify-codegen.yaml vendored
View file

@ -1,5 +1,7 @@
name: Verify codegen
permissions: {}
on:
push:
branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
verify-codegen:
runs-on: ubuntu-latest