From 6c6a28c4f0d182277d65be1c5545ab4ba8993355 Mon Sep 17 00:00:00 2001 From: Morten Stulen Date: Tue, 2 Jan 2024 11:21:06 +0100 Subject: [PATCH] Remove apikey from nais deploy And move permissions --- .github/workflows/codeql-analysis.yml | 9 +++++---- .github/workflows/deploy-topics.yml | 2 -- .github/workflows/main.yml | 11 +++++------ .github/workflows/manual-deploy.yml | 12 ++++-------- .github/workflows/stale.yml | 17 ----------------- 5 files changed, 14 insertions(+), 37 deletions(-) delete mode 100644 .github/workflows/stale.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 50e66d78..7945ba4f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -7,14 +7,15 @@ on: branches: - main +permissions: + actions: read + contents: read + security-events: write + jobs: analyze: name: Analyze runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write strategy: fail-fast: false diff --git a/.github/workflows/deploy-topics.yml b/.github/workflows/deploy-topics.yml index 4c4a39a0..45c34342 100644 --- a/.github/workflows/deploy-topics.yml +++ b/.github/workflows/deploy-topics.yml @@ -24,7 +24,6 @@ jobs: - uses: actions/checkout@v4 - uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: dev-gcp RESOURCE: .nais/topics/config-messages-topic-dev.yml,.nais/topics/config-metrics-topic-dev.yml,.nais/topics/config-processingeventlog-topic-dev.yml,.nais/topics/config-soknadinnsending-topic-dev.yml,.nais/topics/config-messages-topic-loadtests.yml,.nais/topics/config-metrics-topic-loadtests.yml,.nais/topics/config-processingeventlog-topic-loadtests.yml,.nais/topics/config-soknadinnsending-topic-loadtests.yml @@ -36,6 +35,5 @@ jobs: - uses: actions/checkout@v4 - uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: prod-gcp RESOURCE: .nais/topics/config-messages-topic-prod.yml,.nais/topics/config-metrics-topic-prod.yml,.nais/topics/config-processingeventlog-topic-prod.yml,.nais/topics/config-soknadinnsending-topic-prod.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 657a8469..2f45edd2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,11 +7,13 @@ on: paths-ignore: - '**.md' - '**/**.md' + +permissions: + contents: "write" + id-token: "write" + jobs: build-and-push: - permissions: - contents: "write" - id-token: "write" name: Build and push Docker container runs-on: ubuntu-latest steps: @@ -51,7 +53,6 @@ jobs: - uses: actions/checkout@v4 - uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: dev-gcp RESOURCE: .nais/nais.yml VARS: .nais/config-loadtests.json @@ -66,7 +67,6 @@ jobs: - uses: actions/checkout@v4 - uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: prod-gcp RESOURCE: .nais/nais.yml VARS: .nais/config-prod.json @@ -82,7 +82,6 @@ jobs: - name: Deploy to alerts to prod uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: prod-gcp RESOURCE: .nais/alerts.yml VARS: .nais/prod-alert.json diff --git a/.github/workflows/manual-deploy.yml b/.github/workflows/manual-deploy.yml index f7d7606f..c5f2282b 100644 --- a/.github/workflows/manual-deploy.yml +++ b/.github/workflows/manual-deploy.yml @@ -15,11 +15,12 @@ on: - loadtests - prod +permissions: + contents: "read" + id-token: "write" + jobs: build-and-push: - permissions: - contents: "read" - id-token: "write" name: Build and push Docker container runs-on: ubuntu-latest steps: @@ -60,7 +61,6 @@ jobs: - uses: actions/checkout@v4 - uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: dev-gcp RESOURCE: .nais/nais.yml VARS: .nais/config-preprod.json @@ -75,7 +75,6 @@ jobs: - uses: actions/checkout@v4 - uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: dev-gcp RESOURCE: .nais/nais.yml VARS: .nais/config-loadtests.json @@ -90,7 +89,6 @@ jobs: - uses: actions/checkout@v4 - uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: prod-gcp RESOURCE: .nais/nais.yml VARS: .nais/config-prod.json @@ -108,7 +106,6 @@ jobs: - name: Deploy to dev uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: dev-gcp RESOURCE: .nais/alerts.yml VARS: .nais/preprod-alert.json @@ -124,7 +121,6 @@ jobs: - name: Deploy to dev uses: nais/deploy/actions/deploy@v2 env: - APIKEY: ${{ secrets.NAIS_DEPLOY_APIKEY }} CLUSTER: prod-gcp RESOURCE: .nais/alerts.yml VARS: .nais/prod-alert.json diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml deleted file mode 100644 index ca2c29cc..00000000 --- a/.github/workflows/stale.yml +++ /dev/null @@ -1,17 +0,0 @@ -name: Mark stale issues and pull requests - -on: - schedule: - - cron: "0 0 * * *" - -jobs: - stale: - runs-on: ubuntu-latest - steps: - - uses: actions/stale@v9 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - stale-issue-message: 'Stale issue message' - stale-pr-message: 'Stale pull request message' - stale-issue-label: 'no-issue-activity' - stale-pr-label: 'no-pr-activity'