Kezdőlap Felfedezés Súgó
Bejelentkezés
logic855
/
helm-external-secrets
tükrözi: https://github.com/external-secrets/external-secrets
1
0
Másolás 0
Fájlok Problémák 0 Wiki
Forráskód Böngészése

fix: pipeline permissions (#4669)

* fix: pipeline permissions

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

* feat: comments and cleanup permissions

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>

---------

Signed-off-by: Gustavo Carvalho <gustavo@externalsecrets.com>
Gustavo Fernandes de Carvalho 1 éve
szülő
f6c4784159
commit
0c889145b5
10 módosított fájl, 30 hozzáadás és 25 törlés
Osztott Nézet Diff Statisztika Mutatása
  1. 3 2
      .github/workflows/ci.yml
  2. 2 3
      .github/workflows/codeql.yml
  3. 1 0
      .github/workflows/dlc.yml
  4. 1 1
      .github/workflows/docs.yml
  5. 3 3
      .github/workflows/e2e-managed.yml
  6. 5 11
      .github/workflows/e2e.yml
  7. 7 0
      .github/workflows/publish.yml
  8. 2 1
      .github/workflows/rebuild-image.yml
  9. 5 3
      .github/workflows/release.yml
  10. 1 1
      .github/workflows/release_esoctl.yml

+ 3 - 2
.github/workflows/ci.yml
Fájl Megtekintése 

@@ -138,8 +138,9 @@ jobs:
 
     if: needs.detect-noop.outputs.noop != 'true'
 
     uses: ./.github/workflows/publish.yml
 
     permissions:
 
-      id-token: write
 
-      contents: read
 
+      contents: read  #actions/checkout
 
+      packages: write #for publishing artifacts
 
+      id-token: write #for keyless sign
 
     strategy:
 
       matrix:
 
         include:

+ 2 - 3
.github/workflows/codeql.yml
Fájl Megtekintése 

@@ -8,9 +8,6 @@ on:
 
 
 permissions:
 
   contents: read
 
-  packages: read
 
-  actions: read
 
-  security-events: read
 
 
 jobs:
 
   analyze:
 
@@ -19,6 +16,8 @@ jobs:
 
     permissions:
 
       # required for all workflows
 
       security-events: write
 
+      packages: read
 
+      actions: read 
     strategy:
 
       fail-fast: false
 
     steps:

+ 1 - 0
.github/workflows/dlc.yml
Fájl Megtekintése 

@@ -11,6 +11,7 @@ permissions:
 
 
 jobs:
 
   fossa-scan:
 
+    if: secrets.FOSSA_API_KEY != ''
 
     runs-on: ubuntu-latest
 
     steps:
 
       - name: "Checkout Code"

+ 1 - 1
.github/workflows/docs.yml
Fájl Megtekintése 

@@ -13,7 +13,7 @@ jobs:
 
   deploy:
 
     runs-on: ubuntu-latest
 
     permissions:
 
-      contents: write
 
+      contents: write #needed to publish documentation
 
     steps:
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
         with:

+ 3 - 3
.github/workflows/e2e-managed.yml
Fájl Megtekintése 

@@ -55,9 +55,9 @@ jobs:
 
   run-e2e-managed:
 
     runs-on: ubuntu-latest
 
     permissions:
 
-      id-token: write
 
-      checks: write
 
-      contents: read
 
+      id-token: write #for oidc auth with aws/gcp/azure
 
+      checks: write   #publish the commit status
 
+      contents: read  #for checkout
 
     if: github.event_name == 'repository_dispatch'
 
 
     steps:

+ 5 - 11
.github/workflows/e2e.yml
Fájl Megtekintése 

@@ -6,10 +6,6 @@ on:
 
 
 permissions:
 
   contents: read
 
-  issues: read
 
-  pull-requests: read
 
-  checks: read
 
-  statuses: read
 
 name: e2e tests
 
 
 env:
 
@@ -64,9 +60,8 @@ jobs:
 
   integration-trusted:
 
     runs-on: ubuntu-latest
 
     permissions:
 
-      id-token: write
 
-      checks: write
 
-      contents: read
 
+      id-token: write #for oidc auth with aws/gcp/azure
 
+      contents: read  #for checkout
 
     if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
 
     steps:
 
 
@@ -82,10 +77,9 @@ jobs:
 
   integration-fork:
 
     runs-on: ubuntu-latest
 
     permissions:
 
-      id-token: write
 
-      checks: write
 
-      contents: read
 
-      pull-requests: write
 
+      id-token: write      #for oidc auth with aws/gcp/azure
 
+      contents: read       #for checkout
 
+      pull-requests: write # to publish the status as comments
 
     if: github.event_name == 'repository_dispatch'
 
     steps:

+ 7 - 0
.github/workflows/publish.yml
Fájl Megtekintése 

@@ -45,6 +45,9 @@ jobs:
 
   build-publish:
 
     name: Build and Publish
 
     runs-on: ubuntu-latest
 
+    permissions:
 
+      contents: read
 
+      packages: write
 
     outputs:
 
       image-tag: ${{ steps.container_info.outputs.image-tag }}
 
     steps:
 
@@ -138,6 +141,10 @@ jobs:
 
   sign:
 
     runs-on: ubuntu-latest
 
     needs: build-publish
 
+    permissions:
 
+      contents: read
 
+      id-token: write #for keyless sign
 
+      packages: write #to update packages with added SBOMs.
 
     steps:
 
       - name: Checkout
 
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

+ 2 - 1
.github/workflows/rebuild-image.yml
Fájl Megtekintése 

@@ -35,8 +35,9 @@ jobs:
 
     uses: ./.github/workflows/publish.yml
 
     needs: checkout
 
     permissions:
 
-      id-token: write
 
       contents: read
 
+      id-token: write #for keyless sign
 
+      packages: write #for updating packages
 
     strategy:
 
       matrix:
 
         include:

+ 5 - 3
.github/workflows/release.yml
Fájl Megtekintése 

@@ -19,7 +19,8 @@ jobs:
 
   release:
 
     name: Create Release
 
     runs-on: ubuntu-latest
 
-
 
+    permissions:
 
+      contents: write # to create a release and push new docs
 
     steps:
 
       - name: Checkout
 
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
@@ -62,8 +63,9 @@ jobs:
 
         - tag_suffix: "-ubi-boringssl" # ubi image
 
 
     permissions:
 
-      id-token: write
 
-      contents: write
 
+      contents: write #to update the github release
 
+      id-token: write #for keyless sign
 
+      packages: write #to update packages with added SBOMs.
 
 
     env:
 
       SOURCE_TAG: ${{ github.event.inputs.source_ref }}${{ matrix.tag_suffix }}

+ 1 - 1
.github/workflows/release_esoctl.yml
Fájl Megtekintése 

@@ -22,7 +22,7 @@ jobs:
 
     name: Create Release for esoctl
 
     runs-on: ubuntu-latest
 
     permissions:
 
-      contents: write
 
+      contents: write # for publishing the release
 
     steps:
 
       - name: Checkout
 
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2