Infra: Fix permissions for checkout (#28)

kafbat · Jan 23, 2024 · 9186cd0 · 9186cd0
1 parent 7b02579
commit 9186cd0
Show file tree

Hide file tree

Showing 17 changed files with 41 additions and 9 deletions.
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -8,9 +8,10 @@ on:
     paths:
       - "kafka-ui-api/**"
       - "pom.xml"
-permissions:
+permissions: # TODO remove when public
   checks: write
   pull-requests: write
+  contents: read
 jobs:
   build-and-test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/branch-deploy.yml b/.github/workflows/branch-deploy.yml
@@ -8,6 +8,8 @@ jobs:
   build:
     if: ${{ github.event.label.name == 'status/feature_testing' || github.event.label.name == 'status/feature_testing_public' }}
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/branch-remove.yml b/.github/workflows/branch-remove.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   remove:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     if: ${{ (github.event.label.name == 'status/feature_testing' || github.event.label.name == 'status/feature_testing_public') || (github.event.action == 'closed' && (contains(github.event.pull_request.labels.*.name, 'status/feature_testing') || contains(github.event.pull_request.labels.*.name, 'status/feature_testing_public'))) }}
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/build-public-image.yml b/.github/workflows/build-public-image.yml
@@ -7,6 +7,8 @@ jobs:
   build:
     if: ${{ github.event.label.name == 'status/image_testing' }}
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -29,7 +29,8 @@ jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
-
+    permissions: # TODO remove when public
+      contents: read
     strategy:
       fail-fast: false
       matrix:

diff --git a/.github/workflows/cve.yaml b/.github/workflows/cve.yaml
@@ -4,9 +4,12 @@ on:
   schedule:
     # * is a special character in YAML so you have to quote this string
     - cron:  '0 8 15 * *'
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml
@@ -8,9 +8,12 @@ on:
       - synchronize
     paths:
       - '**.md'
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/e2e-automation.yml b/.github/workflows/e2e-automation.yml
@@ -15,10 +15,12 @@ on:
         description: 'Set Qase token to enable integration'
         required: false
         type: string
-
+  
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/e2e-checks.yaml b/.github/workflows/e2e-checks.yaml
@@ -8,8 +8,9 @@ on:
       - "kafka-ui-react-app/**"
       - "kafka-ui-e2e-checks/**"
       - "pom.xml"
-permissions:
+permissions: # TODO remove when public
   statuses: write
+  contents: read
 jobs:
   build-and-test:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/e2e-manual.yml b/.github/workflows/e2e-manual.yml
@@ -14,10 +14,12 @@ on:
         description: 'Set Qase token to enable integration'
         required: true
         type: string
-
+  
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/e2e-weekly.yml b/.github/workflows/e2e-weekly.yml
@@ -6,6 +6,8 @@ on:
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml
@@ -8,15 +8,15 @@ on:
     paths:
       - "kafka-ui-contract/**"
       - "kafka-ui-react-app/**"
-permissions:
-  checks: write
-  pull-requests: write
+
 jobs:
   build-and-test:
     env:
       CI: true
       NODE_ENV: dev
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml
@@ -3,10 +3,12 @@ on:
   workflow_dispatch:
   push:
     branches: [ "main" ]
-
+  
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/release-serde-api.yaml b/.github/workflows/release-serde-api.yaml
@@ -4,6 +4,8 @@ on: workflow_dispatch
 jobs:
   release-serde-api:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,6 +6,8 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     outputs:
       version: ${{steps.build.outputs.version}}
     steps:

diff --git a/.github/workflows/separate_env_public_create.yml b/.github/workflows/separate_env_public_create.yml
@@ -10,6 +10,8 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with:

diff --git a/.github/workflows/workflow_linter.yaml b/.github/workflows/workflow_linter.yaml
@@ -8,9 +8,12 @@ on:
       - "edited"
     paths:
       - ".github/workflows/**"
+
 jobs:
   build-and-test:
     runs-on: ubuntu-latest
+    permissions: # TODO remove when public
+      contents: read
     steps:
       - uses: actions/checkout@v4
         with: