mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

fix: reduce token permissions (#7721)

Browse source 
* fix: reduce token permissions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix: reduce token permissions

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* fix

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-06-30 13:44:57 +02:00 committed by GitHub
parent 50c5d55034
commit 6cb54a475c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 36 additions and 60 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/check-actions.yaml vendored
View file

@ -1,5 +1,7 @@
name: Check actions name: Check actions
permissions: {}
on: on:
push: push:
branches: branches:
@ -9,8 +11,6 @@ on:
- 'main' - 'main'
- 'release*' - 'release*'
permissions: {}
jobs: jobs:
check: check:
runs-on: ubuntu-latest runs-on: ubuntu-latest

4
.github/workflows/cli.yaml vendored
View file

@ -1,5 +1,7 @@
name: cli name: cli
permissions: {}
on: on:
push: push:
branches: branches:
@ -10,8 +12,6 @@ on:
- 'main' - 'main'
- 'release*' - 'release*'
permissions: {}
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true

4
.github/workflows/codecov.yaml vendored
View file

@ -1,5 +1,7 @@
name: Codecov name: Codecov
permissions: {}
on: on:
push: push:
branches: branches:
@ -9,8 +11,6 @@ on:
- 'main' - 'main'
- 'release*' - 'release*'
permissions: {}
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true

4
.github/workflows/comment-commands.yaml vendored
View file

@ -1,13 +1,13 @@
name: Issue and PR comment commands name: Issue and PR comment commands
permissions: {}
on: on:
issue_comment: issue_comment:
types: types:
- created - created
- edited - edited
permissions: {}
jobs: jobs:
execute: execute:
runs-on: ubuntu-latest runs-on: ubuntu-latest

14
.github/workflows/conformance.yaml vendored
View file

@ -1,13 +1,13 @@
name: Conformance tests name: Conformance tests
permissions: {}
on: on:
pull_request: pull_request:
branches: branches:
- 'main' - 'main'
- 'release*' - 'release*'
permissions: {}
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
@ -15,8 +15,6 @@ concurrency:
jobs: jobs:
prepare-images: prepare-images:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@ -37,8 +35,6 @@ jobs:
# runs conformance test suites with configuration: # runs conformance test suites with configuration:
standard: standard:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -110,8 +106,6 @@ jobs:
# runs conformance test suites with configuration: # runs conformance test suites with configuration:
force-failure-policy-ignore: force-failure-policy-ignore:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -168,8 +162,6 @@ jobs:
# runs conformance test suites with configuration: # runs conformance test suites with configuration:
default: default:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -224,8 +216,6 @@ jobs:
# runs conformance test suites with configuration: # runs conformance test suites with configuration:
policy-library: policy-library:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:

6
.github/workflows/fossa.yml vendored
View file

@ -1,12 +1,12 @@
name: FOSSA name: FOSSA
permissions: {}
on: on:
push: push:
branches: branches:
- main - main
permissions: {}
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
@ -14,8 +14,6 @@ concurrency:
jobs: jobs:
fossa-scan: fossa-scan:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

2
.github/workflows/helm-release.yaml vendored
View file

@ -1,5 +1,7 @@
name: helm-release name: helm-release
permissions: {}
on: on:
push: push:
tags: tags:

4
.github/workflows/helm-test.yaml vendored
View file

@ -1,5 +1,7 @@
name: helm-test name: helm-test
permissions: {}
on: on:
pull_request: pull_request:
branches: branches:
@ -9,8 +11,6 @@ on:
- charts/** - charts/**
- .github/workflows/helm-test.yaml - .github/workflows/helm-test.yaml
permissions: {}
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true

6
.github/workflows/images-build.yaml vendored
View file

@ -1,5 +1,7 @@
name: Build images name: Build images
permissions: {}
on: on:
push: push:
branches: branches:
@ -9,13 +11,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
build-images: build-images:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

5
.github/workflows/images-publish.yaml vendored
View file

@ -1,5 +1,7 @@
name: Publish images name: Publish images
permissions: {}
on: on:
push: push:
branches: branches:
@ -10,13 +12,10 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions: {}
jobs: jobs:
publish-images: publish-images:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read
packages: write packages: write
id-token: write id-token: write
outputs: outputs:

5
.github/workflows/lint.yaml vendored
View file

@ -1,5 +1,7 @@
name: Lint name: Lint
permissions: {}
on: on:
push: push:
branches: branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
tests: tests:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/nancy.yaml vendored
View file

@ -1,5 +1,7 @@
name: Nancy name: Nancy
permissions: {}
on: on:
push: push:
branches: branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
nancy: nancy:
runs-on: ubuntu-latest runs-on: ubuntu-latest

6
.github/workflows/pr-update.yaml vendored
View file

@ -1,17 +1,15 @@
name: PR update name: PR update
permissions: {}
on: on:
push: push:
branches: branches:
- 'main' - 'main'
- 'release-*' - 'release-*'
permissions: {}
jobs: jobs:
autoupdate: autoupdate:
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout

1
.github/workflows/release.yaml vendored
View file

@ -9,7 +9,6 @@ jobs:
release-images: release-images:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions: permissions:
contents: read
packages: write packages: write
id-token: write id-token: write
outputs: outputs:

7
.github/workflows/report-on-vulnerabilities.yaml vendored
View file

@ -1,12 +1,12 @@
name: report-on-vulnerabilities name: report-on-vulnerabilities
permissions: {}
on: on:
workflow_dispatch: {} workflow_dispatch: {}
schedule: schedule:
- cron: '23 2 * * *' # Every day at 02:23 - cron: '23 2 * * *' # Every day at 02:23
permissions: {}
env: env:
REGISTRY: ghcr.io REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }} IMAGE_NAME: ${{ github.repository }}
@ -14,8 +14,6 @@ env:
jobs: jobs:
scan: scan:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
outputs: outputs:
results: ${{ steps.parse-results.outputs.results }} results: ${{ steps.parse-results.outputs.results }}
steps: steps:
@ -55,7 +53,6 @@ jobs:
if: needs.scan.outputs.results == 'found' if: needs.scan.outputs.results == 'found'
needs: scan needs: scan
permissions: permissions:
contents: read
issues: write issues: write
steps: steps:
- name: Checkout - name: Checkout

4
.github/workflows/scorecard.yaml vendored
View file

@ -1,5 +1,7 @@
name: Scorecards supply-chain security name: Scorecards supply-chain security
permissions: {}
on: on:
schedule: schedule:
- cron: '30 1 * * 6' - cron: '30 1 * * 6'
@ -7,8 +9,6 @@ on:
branches: branches:
- main - main
permissions: read-all
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true

5
.github/workflows/sonarcloud.yaml vendored
View file

@ -1,5 +1,7 @@
name: Sonarcloud workflow name: Sonarcloud workflow
permissions: {}
on: on:
push: push:
branches: branches:
@ -10,9 +12,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
sonarcloud: sonarcloud:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/tests.yaml vendored
View file

@ -1,5 +1,7 @@
name: Tests name: Tests
permissions: {}
on: on:
push: push:
branches: branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
tests: tests:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/verify-codegen.yaml vendored
View file

@ -1,5 +1,7 @@
name: Verify codegen name: Verify codegen
permissions: {}
on: on:
push: push:
branches: branches:
@ -13,9 +15,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
permissions:
contents: read
jobs: jobs:
verify-codegen: verify-codegen:
runs-on: ubuntu-latest runs-on: ubuntu-latest