Skip to content

Commit

Permalink
ci: address workflows security
Browse files Browse the repository at this point in the history
Signed-off-by: moabu <[email protected]>
  • Loading branch information
moabu committed Jan 7, 2025
1 parent 5ca3e65 commit 7dd250d
Show file tree
Hide file tree
Showing 16 changed files with 45 additions and 20 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/activate-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ on:
pull_request:
types:
- closed
permissions:
contents: read
jobs:
create_release:
if: ${{ (github.event.pull_request.merged == true) && (contains(github.event.pull_request.labels.*.name, 'autorelease:pending')) }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/build-docs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,8 @@ on:
concurrency:
group: run-once
cancel-in-progress: false
permissions:
contents: read
jobs:
build:
if: github.repository_owner == 'GluuFederation'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/build-packages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ on:
tags:
- 'v**'
- 'nightly'
permissions:
contents: read
jobs:
publish_binary_packages:
if: github.repository == 'GluuFederation/flex'
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/central_code_quality_check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,8 @@ on:
- 'docker-**/version.txt'
- '**.md'
workflow_dispatch:

permissions:
contents: read
jobs:
sonar-scan:
name: sonar scan
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/clean_github_cache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,8 @@ on:
types:
- closed
workflow_dispatch:

permissions:
contents: read
jobs:
cleanup:
runs-on: ubuntu-latest
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@ on:
workflow_dispatch:
schedule:
- cron: '0 8 * * *'

permissions:
contents: read
jobs:
analyze:
name: Analyze
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/commit-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,8 @@ on:
- reopened
- synchronize
push:

permissions:
contents: read
jobs:
check-commit-message:
name: Check Commit Message
Expand All @@ -24,7 +25,7 @@ jobs:
- name: Checkout Project
uses: actions/checkout@v3
with:
# We need to fetch with a depth of 2 for pull_request so we can do HEAD^2
# We need to fetch with a depth of 2 for pull_request, so we can do HEAD^2
fetch-depth: 2

- uses: actions/setup-node@v3
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/delete_workflow_runs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ on:
schedule:
- cron: '0 0 */2 * *'
workflow_dispatch:
permissions:
contents: read
jobs:
del_runs:
runs-on: ubuntu-latest
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/docker_build_image.yml
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ jobs:
if: steps.build_docker_image.outputs.build || github.event_name == 'tags'
run: |
sudo apt-get update
#sudo python3 -m pip install --upgrade pip
sudo pip3 install setuptools --upgrade
sudo pip3 install -r ./automation/requirements.txt
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
sudo pip3 install --ignore-installed setuptools --upgrade
sudo pip3 install --ignore-installed -r ./automation/requirements.txt
sudo apt-get update
Expand Down Expand Up @@ -149,11 +149,11 @@ jobs:
if: github.event_name == 'workflow_dispatch'
run: |
sudo apt-get update
#sudo python3 -m pip install --upgrade pip
sudo pip3 install setuptools --upgrade
sudo pip3 install -r ./automation/requirements.txt
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
sudo pip3 install --ignore-installed setuptools --upgrade
sudo pip3 install --ignore-installed -r ./automation/requirements.txt
sudo apt-get update
sudo apt-get install jq
sudo apt-get install --ignore-installed jq
- name: Update Build date in Dockerfile
if: github.event_name == 'workflow_dispatch'
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/docker_imagescan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ on:
- "!docker-**/version.txt"
- "!**.md"
workflow_dispatch:
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/label_pr_issues.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,8 @@ on:
- opened
- edited
workflow_dispatch:

permissions:
contents: read
jobs:
label:
# This cannot run on forks as the user mo-auto does not have access to forks
Expand All @@ -32,11 +33,11 @@ jobs:
- name: Install dependencies
run: |
sudo apt-get update
sudo python3 -m pip install --upgrade pip
sudo pip3 install setuptools --upgrade
sudo pip3 install -r ./automation/requirements.txt
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
sudo pip3 install --ignore-installed setuptools --upgrade
sudo pip3 install --ignore-installed -r ./automation/requirements.txt
sudo apt-get update
sudo apt-get install jq
sudo apt-get install --ignore-installed jq
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
sudo apt update
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/test-report.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ on:
workflows: ['Test Linux installer']
types:
- completed
permissions:
contents: read
jobs:
report:
runs-on: ubuntu-latest
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/test_docker_linux_installer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
- main
paths:
- "flex-linux-setup/**"
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-20.04
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/testcases.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ on:
- "pygluu/**"
- "tests/**"
- "setup.py"
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
Expand Down
8 changes: 5 additions & 3 deletions .github/workflows/update_janssen_helm_chart.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ on:
- main
paths:
- 'charts/gluu/*'
permissions:
contents: read
jobs:
createPullRequest:
runs-on: ubuntu-latest
Expand All @@ -23,10 +25,10 @@ jobs:
- name: Install dependencies
run: |
sudo apt-get update
sudo python3 -m pip install --upgrade pip
sudo pip3 install -r ./automation/requirements.txt
sudo python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
sudo pip3 install --ignore-installed -r ./automation/requirements.txt
sudo apt-get update
sudo apt-get install jq
sudo apt-get install --ignore-installed jq
- name: install helm-docs
run: |
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/uploadrelease.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ on:
required: false
schedule:
- cron: "0 0 * * *"
permissions:
contents: read
jobs:
publish:
name: Publish for ${{ matrix.asset_name }}
Expand Down

0 comments on commit 7dd250d

Please sign in to comment.