github/containerd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 2 Wiki Activity

Harden GITHUB_TOKEN permissions

Browse Source 
Signed-off-by: Craig Ingram <cjingram@google.com>
This commit is contained in:
Craig Ingram 2022-11-01 10:56:38 -04:00
parent 8167751f56
commit a270d6e8ae
No known key found for this signature in database
GPG Key ID: 5B1AE4FE04985AD3
11 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/build-test-images.yml vendored
View File

@ -20,7 +20,7 @@ on:
default: westeurope default: westeurope
permissions: permissions:
packages: write contents: read
env: env:
AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUB_ID }} AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUB_ID }}
@ -30,6 +30,8 @@ env:
jobs: jobs:
images: images:
permissions:
packages: write
name: "Build volume test images" name: "Build volume test images"
runs-on: ubuntu-latest runs-on: ubuntu-latest
timeout-minutes: 60 timeout-minutes: 60

6
.github/workflows/ci.yml vendored
View File

@ -14,11 +14,17 @@ env:
# Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions. # Note: don't forget to update `Binaries` step, as it contains the matrix of all supported Go versions.
GO_VERSION: "1.19.2" GO_VERSION: "1.19.2"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
# #
# golangci-lint # golangci-lint
# #
linters: linters:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
name: Linters name: Linters
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
timeout-minutes: 10 timeout-minutes: 10

7
.github/workflows/codeql.yml vendored
View File

@ -10,9 +10,16 @@ on:
- main - main
- 'release/**' - 'release/**'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
CodeQL-Build: CodeQL-Build:
permissions:
actions: read # for github/codeql-action/init to get workflow details
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/analyze to upload SARIF results
strategy: strategy:
fail-fast: false fail-fast: false

3
.github/workflows/fuzz.yml vendored
View File

@ -1,5 +1,8 @@
name: Fuzzing name: Fuzzing
on: [pull_request] on: [pull_request]
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
# Run all fuzzing tests. Some of them use Go 1.18's testing.F. # Run all fuzzing tests. Some of them use Go 1.18's testing.F.
# Others use https://github.com/AdaLogics/go-fuzz-headers. # Others use https://github.com/AdaLogics/go-fuzz-headers.

3
.github/workflows/images.yml vendored
View File

@ -9,6 +9,9 @@ on:
image: image:
description: "Target image name (override)" description: "Target image name (override)"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
mirror: mirror:
name: "Mirror Image" name: "Mirror Image"

3
.github/workflows/nightly.yml vendored
View File

@ -9,6 +9,9 @@ on:
env: env:
GO_VERSION: '1.19.2' GO_VERSION: '1.19.2'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
linux: linux:
name: Linux name: Linux

5
.github/workflows/release.yml vendored
View File

@ -8,6 +8,9 @@ name: Containerd Release
env: env:
GO_VERSION: '1.19.2' GO_VERSION: '1.19.2'
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
check: check:
name: Check Signed Tag name: Check Signed Tag
@ -123,6 +126,8 @@ jobs:
release: release:
name: Create containerd Release name: Create containerd Release
permissions:
contents: write
runs-on: ubuntu-20.04 runs-on: ubuntu-20.04
timeout-minutes: 10 timeout-minutes: 10
needs: [build, check] needs: [build, check]

7
.github/workflows/windows-hyperv-periodic-trigger.yml vendored
View File

@ -7,9 +7,16 @@ on:
schedule: schedule:
- cron: "0 1 * * *" - cron: "0 1 * * *"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
triggerWinIntegration: triggerWinIntegration:
# NOTE: the following permissions are required by `google-github-actions/auth`:
permissions:
contents: 'read'
id-token: 'write'
if: github.repository == 'containerd/containerd' if: github.repository == 'containerd/containerd'
# NOTE(aznashwan, 11/24/21): GitHub actions do not currently support referencing # NOTE(aznashwan, 11/24/21): GitHub actions do not currently support referencing
# or evaluating any kind of variables in the `uses` clause, but this will # or evaluating any kind of variables in the `uses` clause, but this will

2
.github/workflows/windows-hyperv-periodic.yml vendored
View File

@ -28,6 +28,8 @@ env:
WEBSERVER_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/nginx:1.14-2" WEBSERVER_TESTING_IMAGE_REF: "k8s.gcr.io/e2e-test-images/nginx:1.14-2"
HCSSHIM_TAG: "master" HCSSHIM_TAG: "master"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
winIntegration: winIntegration:

7
.github/workflows/windows-periodic-trigger.yml vendored
View File

@ -7,9 +7,16 @@ on:
schedule: schedule:
- cron: "0 1 * * *" - cron: "0 1 * * *"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
triggerWinIntegration: triggerWinIntegration:
# NOTE: the following permissions are required by `google-github-actions/auth`:
permissions:
contents: 'read'
id-token: 'write'
if: github.repository == 'containerd/containerd' if: github.repository == 'containerd/containerd'
# NOTE(aznashwan, 11/24/21): GitHub actions do not currently support referencing # NOTE(aznashwan, 11/24/21): GitHub actions do not currently support referencing
# or evaluating any kind of variables in the `uses` clause, but this will # or evaluating any kind of variables in the `uses` clause, but this will

2
.github/workflows/windows-periodic.yml vendored
View File

@ -27,6 +27,8 @@ env:
RESOURCE_CONSUMER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/resource-consumer:1.10" RESOURCE_CONSUMER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/resource-consumer:1.10"
WEBSERVER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/nginx:1.14-2" WEBSERVER_TESTING_IMAGE_REF: "registry.k8s.io/e2e-test-images/nginx:1.14-2"
permissions: # added using https://github.com/step-security/secure-workflows
contents: read
jobs: jobs:
winIntegration: winIntegration: