diff --git a/.github/workflows/build-test-images.yml b/.github/workflows/build-test-images.yml index de1fe3a19..22acc2c5b 100644 --- a/.github/workflows/build-test-images.yml +++ b/.github/workflows/build-test-images.yml @@ -20,7 +20,7 @@ on: default: westeurope permissions: - packages: write + contents: read env: AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUB_ID }} @@ -30,6 +30,8 @@ env: jobs: images: + permissions: + packages: write name: "Build volume test images" runs-on: ubuntu-latest timeout-minutes: 60 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f97e69190..f112f7ebe 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,11 +14,17 @@ env: # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. GO_VERSION: "1.19.2" +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: # # golangci-lint # linters: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Linters runs-on: ${{ matrix.os }} timeout-minutes: 10 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4352131e4..456208a12 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -10,9 +10,16 @@ on: - main - 'release/**' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: CodeQL-Build: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results strategy: fail-fast: false diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml index df7526545..ee9dfc45a 100644 --- a/.github/workflows/fuzz.yml +++ b/.github/workflows/fuzz.yml @@ -1,5 +1,8 @@ name: Fuzzing on: [pull_request] +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: # Run all fuzzing tests. Some of them use Go 1.18's testing.F. # Others use https://github.com/AdaLogics/go-fuzz-headers. diff --git a/.github/workflows/images.yml b/.github/workflows/images.yml index e786522f7..a4192e753 100644 --- a/.github/workflows/images.yml +++ b/.github/workflows/images.yml @@ -9,6 +9,9 @@ on: image: description: "Target image name (override)" +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: mirror: name: "Mirror Image" diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 6f0cfe314..8cf731be5 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -9,6 +9,9 @@ on: env: GO_VERSION: '1.19.2' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: linux: name: Linux diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2620e2823..526d752b1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,9 @@ name: Containerd Release env: GO_VERSION: '1.19.2' +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: check: name: Check Signed Tag @@ -123,6 +126,8 @@ jobs: release: name: Create containerd Release + permissions: + contents: write runs-on: ubuntu-20.04 timeout-minutes: 10 needs: [build, check] diff --git a/.github/workflows/windows-hyperv-periodic-trigger.yml b/.github/workflows/windows-hyperv-periodic-trigger.yml index 3927ea99e..dd7e6639a 100644 --- a/.github/workflows/windows-hyperv-periodic-trigger.yml +++ b/.github/workflows/windows-hyperv-periodic-trigger.yml @@ -7,9 +7,16 @@ on: schedule: - cron: "0 1 * * *" +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: triggerWinIntegration: + # NOTE: the following permissions are required by `google-github-actions/auth`: + permissions: + contents: 'read' + id-token: 'write' if: github.repository == 'containerd/containerd' # NOTE(aznashwan, 11/24/21): GitHub actions do not currently support referencing # or evaluating any kind of variables in the `uses` clause, but this will diff --git a/.github/workflows/windows-hyperv-periodic.yml b/.github/workflows/windows-hyperv-periodic.yml index fd773d595..9c1b91940 100644 --- a/.github/workflows/windows-hyperv-periodic.yml +++ b/.github/workflows/windows-hyperv-periodic.yml @@ -28,6 +28,8 @@ env: WEBSERVER_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/nginx:1.14-2" HCSSHIM_TAG: "master" +permissions: # added using https://github.com/step-security/secure-workflows + contents: read jobs: winIntegration: diff --git a/.github/workflows/windows-periodic-trigger.yml b/.github/workflows/windows-periodic-trigger.yml index 302d4050a..48aad0965 100644 --- a/.github/workflows/windows-periodic-trigger.yml +++ b/.github/workflows/windows-periodic-trigger.yml @@ -7,9 +7,16 @@ on: schedule: - cron: "0 1 * * *" +permissions: # added using https://github.com/step-security/secure-workflows + contents: read + jobs: triggerWinIntegration: + # NOTE: the following permissions are required by `google-github-actions/auth`: + permissions: + contents: 'read' + id-token: 'write' if: github.repository == 'containerd/containerd' # NOTE(aznashwan, 11/24/21): GitHub actions do not currently support referencing # or evaluating any kind of variables in the `uses` clause, but this will diff --git a/.github/workflows/windows-periodic.yml b/.github/workflows/windows-periodic.yml index 78e3c5069..e3294fa26 100644 --- a/.github/workflows/windows-periodic.yml +++ b/.github/workflows/windows-periodic.yml @@ -27,6 +27,8 @@ env: RESOURCE_CONSUMER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/resource-consumer:1.10" WEBSERVER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/nginx:1.14-2" +permissions: # added using https://github.com/step-security/secure-workflows + contents: read jobs: winIntegration: