Skip to content

Commit

Permalink
fixup! Update permissions for workflows that call scorecard
Browse files Browse the repository at this point in the history
Signed-off-by: Spencer Wilson <[email protected]>
  • Loading branch information
SWilson4 committed Sep 4, 2024
1 parent c2b15dc commit e6e1f6f
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 15 deletions.
23 changes: 18 additions & 5 deletions .github/workflows/commit-to-main.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Main branch tests

# read-all permissions are required for the scorecard job
permissions: read-all
permissions:
contents: read

on:
push:
Expand All @@ -15,11 +15,24 @@ jobs:
scorecard:
uses: ./.github/workflows/scorecard.yml
secrets: inherit
# complete list of permissions keys as per
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
# accessed September 4, 2024
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: write
statuses: read

basic-downstream:
uses: ./.github/workflows/downstream-basic.yml
Expand Down
23 changes: 18 additions & 5 deletions .github/workflows/pr.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Pull request tests

# read-all permissions are required for the scorecard job
permissions: read-all
permissions:
contents: read

on: pull_request

Expand All @@ -22,8 +22,21 @@ jobs:
needs: basic-checks
uses: ./.github/workflows/scorecard.yml
secrets: inherit
# complete list of permissions keys as per
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
# accessed September 4, 2024
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: write
statuses: read
23 changes: 18 additions & 5 deletions .github/workflows/weekly.yml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Weekly tests

# read-all permissions are required for the scorecard job
permissions: read-all
permissions:
contents: read

on:
schedule:
Expand All @@ -14,11 +14,24 @@ jobs:
scorecard:
uses: ./.github/workflows/scorecard.yml
secrets: inherit
# complete list of permissions keys as per
# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token#defining-access-for-the-github_token-permissions
# accessed September 4, 2024
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
# Needed to publish results and get a badge (see publish_results below).
actions: read
attestations: read
checks: read
contents: read
deployments: read
id-token: write
issues: read
discussions: read
packages: read
pages: read
pull-requests: read
repository-projects: read
security-events: write
statuses: read

extended-tests:
uses: ./.github/workflows/extended.yml

0 comments on commit e6e1f6f

Please sign in to comment.