Continue limiting workflow permissions (#7092)
This commit is contained in:
parent
06449488ce
commit
00f00433f3
|
@ -12,6 +12,9 @@ concurrency:
|
||||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
|
||||||
cancel-in-progress: true
|
cancel-in-progress: true
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
name: Build
|
name: Build
|
||||||
|
|
|
@ -2,6 +2,9 @@ name: Generate Post-Release PR
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
prereqs:
|
prereqs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
@ -15,6 +18,8 @@ jobs:
|
||||||
fi
|
fi
|
||||||
|
|
||||||
create-pull-request-against-main:
|
create-pull-request-against-main:
|
||||||
|
permissions:
|
||||||
|
contents: write # for git push to PR branch
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs:
|
needs:
|
||||||
- prereqs
|
- prereqs
|
||||||
|
|
|
@ -2,8 +2,13 @@ name: Prepare patch release
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
prepare-patch-release:
|
prepare-patch-release:
|
||||||
|
permissions:
|
||||||
|
contents: write # for git push to PR branch
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||||
|
|
|
@ -2,6 +2,9 @@ name: Prepare release branch
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
prereqs:
|
prereqs:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
@ -21,6 +24,8 @@ jobs:
|
||||||
fi
|
fi
|
||||||
|
|
||||||
create-pull-request-against-release-branch:
|
create-pull-request-against-release-branch:
|
||||||
|
permissions:
|
||||||
|
contents: write # for git push to PR branch
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs:
|
needs:
|
||||||
- prereqs
|
- prereqs
|
||||||
|
@ -70,6 +75,8 @@ jobs:
|
||||||
--base $RELEASE_BRANCH_NAME
|
--base $RELEASE_BRANCH_NAME
|
||||||
|
|
||||||
create-pull-request-against-main:
|
create-pull-request-against-main:
|
||||||
|
permissions:
|
||||||
|
contents: write # for git push to PR branch
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs:
|
needs:
|
||||||
- prereqs
|
- prereqs
|
||||||
|
|
|
@ -2,8 +2,13 @@ name: Release
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
release:
|
release:
|
||||||
|
permissions:
|
||||||
|
contents: write # for creating the release
|
||||||
runs-on: ubuntu-24.04
|
runs-on: ubuntu-24.04
|
||||||
outputs:
|
outputs:
|
||||||
version: ${{ steps.create-github-release.outputs.version }}
|
version: ${{ steps.create-github-release.outputs.version }}
|
||||||
|
@ -126,6 +131,8 @@ jobs:
|
||||||
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
merge-change-log-to-main:
|
merge-change-log-to-main:
|
||||||
|
permissions:
|
||||||
|
contents: write # for git push to PR branch
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs:
|
needs:
|
||||||
- release
|
- release
|
||||||
|
|
|
@ -3,8 +3,14 @@ name: Reusable - Open issue on workflow failure
|
||||||
on:
|
on:
|
||||||
workflow_call:
|
workflow_call:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
open-issue:
|
open-issue:
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
issues: write # for creating the issue
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
||||||
|
|
Loading…
Reference in New Issue