diff --git a/.github/workflows/jetson-agx-orin-devkit-64gb.yml b/.github/workflows/jetson-agx-orin-devkit-64gb.yml index 2aca3ca2..8b959025 100644 --- a/.github/workflows/jetson-agx-orin-devkit-64gb.yml +++ b/.github/workflows/jetson-agx-orin-devkit-64gb.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) @@ -31,11 +31,17 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@ded533f1b8c8ff983dbcff2d219851130f8bfc4d # v1.27.2 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-agx-orin-devkit.yml b/.github/workflows/jetson-agx-orin-devkit.yml index a2185138..aedd7c50 100644 --- a/.github/workflows/jetson-agx-orin-devkit.yml +++ b/.github/workflows/jetson-agx-orin-devkit.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) @@ -31,11 +31,17 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@ded533f1b8c8ff983dbcff2d219851130f8bfc4d # v1.27.2 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-orin-nano-devkit-nvme.yml b/.github/workflows/jetson-orin-nano-devkit-nvme.yml index ca77b7b0..269796cb 100644 --- a/.github/workflows/jetson-orin-nano-devkit-nvme.yml +++ b/.github/workflows/jetson-orin-nano-devkit-nvme.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) @@ -31,11 +31,17 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@ded533f1b8c8ff983dbcff2d219851130f8bfc4d # v1.27.2 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-orin-nano-seeed-j3010.yml b/.github/workflows/jetson-orin-nano-seeed-j3010.yml index a0a99858..946d201a 100644 --- a/.github/workflows/jetson-orin-nano-seeed-j3010.yml +++ b/.github/workflows/jetson-orin-nano-seeed-j3010.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) @@ -31,11 +31,17 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@ded533f1b8c8ff983dbcff2d219851130f8bfc4d # v1.27.2 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-orin-nx-seeed-j4012.yml b/.github/workflows/jetson-orin-nx-seeed-j4012.yml index 604ccc1e..08896692 100644 --- a/.github/workflows/jetson-orin-nx-seeed-j4012.yml +++ b/.github/workflows/jetson-orin-nx-seeed-j4012.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) @@ -31,11 +31,17 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@ded533f1b8c8ff983dbcff2d219851130f8bfc4d # v1.27.2 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-orin-nx-xavier-nx-devkit.yml b/.github/workflows/jetson-orin-nx-xavier-nx-devkit.yml index 83b248e7..59a8c947 100644 --- a/.github/workflows/jetson-orin-nx-xavier-nx-devkit.yml +++ b/.github/workflows/jetson-orin-nx-xavier-nx-devkit.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) @@ -31,11 +31,17 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@ded533f1b8c8ff983dbcff2d219851130f8bfc4d # v1.27.2 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while