Configure Github workflow and job level permissions

.github/workflows/ci.yaml

@@ -5,6 +5,11 @@ on:
     paths:
       - "charts/**"
 
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
+
 jobs:
   changed:
     runs-on: ubuntu-latest

.github/workflows/go-test-private-action-runner.yaml

@@ -8,6 +8,12 @@ on:
     paths:
       - 'test/private-action-runner/**'
       - 'charts/private-action-runner/**'
+
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
+
 env:
   GO111MODULE: "on"
   PROJECTNAME: "helm-charts"

.github/workflows/go-test.yaml

@@ -8,6 +8,12 @@ on:
     paths:
       - 'test/datadog-operator/**'
       - 'charts/datadog-operator/**'
+
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
+
 env:
   GO111MODULE: "on"
   PROJECTNAME: "helm-charts"

.github/workflows/pr-labeler.yaml

@@ -4,10 +4,17 @@ on:
     branches:
       - main
 
+# Permission forced by repo-level setting; only elevate on job-level
+permissions:
+  contents: read
+  # packages: read
+
 jobs:
   label:
     name: Add label for PRs
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     timeout-minutes: 5
     steps:
       - uses: actions/labeler@v5

.github/workflows/release.yaml

@@ -7,9 +7,14 @@ on:
     paths:
       - 'charts/**'
 
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      # https://github.com/helm/chart-releaser-action
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v3

charts/datadog-operator/CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 2.2.1
+noop
+
 ## 2.2.0
 
 * Add clusterRole.allowReadAllResources to allow viewing all resources. This is required for collecting custom resources in the Kubernetes Explorer

charts/datadog-operator/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: datadog-operator
-version: 2.2.0
+version: 2.2.1
 appVersion: 1.9.0
 description: Datadog Operator
 keywords:

charts/datadog-operator/README.md

@@ -1,6 +1,6 @@
 # Datadog Operator
 
-![Version: 2.2.0](https://img.shields.io/badge/Version-2.2.0-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square)
+![Version: 2.2.1](https://img.shields.io/badge/Version-2.2.1-informational?style=flat-square) ![AppVersion: 1.9.0](https://img.shields.io/badge/AppVersion-1.9.0-informational?style=flat-square)
 
 ## Values
 
@@ -43,6 +43,7 @@
 | metricsPort | int | `8383` | Port used for OpenMetrics endpoint |
 | nameOverride | string | `""` | Override name of app |
 | nodeSelector | object | `{}` | Allows to schedule Datadog Operator on specific nodes |
+| noop | bool | `true` |  |
 | operatorMetricsEnabled | string | `"true"` | Enable forwarding of Datadog Operator metrics and events to Datadog. |
 | podAnnotations | object | `{}` | Allows setting additional annotations for Datadog Operator PODs |
 | podLabels | object | `{}` | Allows setting additional labels for for Datadog Operator PODs |

charts/datadog-operator/values.yaml

@@ -196,3 +196,5 @@ clusterRole:
   # allowReadAllResources is required to allow the operator to view all custom resources.
   # If collecting CRDs in the Kubernetes Explorer this is required
   allowReadAllResources: false
+
+noop: true

charts/private-action-runner/CHANGELOG.md

@@ -1,5 +1,9 @@
 # Datadog changelog
 
+## 0.14.4
+
+noop
+
 ## 0.14.3
 
 * Add GitLab private actions and fix image repository link.

charts/private-action-runner/Chart.yaml

@@ -3,7 +3,7 @@ name: private-action-runner
 description: A Helm chart to deploy the private action runner
 
 type: application
-version: 0.14.3
+version: 0.14.4
 appVersion: "1.22.0"
 keywords:
 - app builder

charts/private-action-runner/README.md

@@ -44,6 +44,7 @@ helm repo update
 |-----|------|---------|-------------|
 | common.image | object | `{"repository":"gcr.io/datadoghq/private-action-runner","tag":"v0.1.4-beta"}` | Current Datadog Private Action Runner image |
 | credentialFiles | list | `[]` | List of credential files to be used by the Datadog Private Action Runner |
+| noop | bool | `true` |  |
 | runners[0].config | object | `{"actionsAllowlist":[],"ddBaseURL":"https://app.datadoghq.com","modes":["workflowAutomation","appBuilder"],"port":9016,"privateKey":"CHANGE_ME_PRIVATE_KEY_FROM_CONFIG","urn":"CHANGE_ME_URN_FROM_CONFIG"}` | Configuration for the Datadog Private Action Runner |
 | runners[0].config.actionsAllowlist | list | `[]` | List of actions that the Datadog Private Action Runner is allowed to execute |
 | runners[0].config.ddBaseURL | string | `"https://app.datadoghq.com"` | Base URL of the Datadog app |

charts/private-action-runner/values.yaml

@@ -84,3 +84,5 @@ runners:
 credentialFiles: []
 # see examples/values.yaml for examples on how to specify secrets
 # credential files provided here will be mounted in /etc/dd-action-runner/
+
+noop: true