Merge pull request #1089 from varunsh-coder/token-perms

ci: add GitHub token permissions for workflows
2025-06-03 03:59:37 +00:00 · 2022-08-06 01:33:23 +03:00 · 2022-08-06 01:33:23 +03:00 · f3ad7d6d4f
commit f3ad7d6d4f
parent 685ed6ecec af962d5645
9 changed files with 32 additions and 0 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -11,6 +11,9 @@ on:
 env:
  GO_VERSION: 1.18.3
  K8S_VERSION: 1.24.2
+permissions:
+  contents: read
+
 jobs:

  docs:
@ -37,6 +40,9 @@ jobs:
        mv _build/html/* $HOME/output/

  golangci:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
    name: lint
    runs-on: ubuntu-latest
    steps:
--- a/.github/workflows/e2e-dlb.yml
+++ b/.github/workflows/e2e-dlb.yml
@ -11,6 +11,9 @@ on:
 env:
  IMAGES: 'intel-dlb-plugin dlb-libdlb-demo'

+permissions:
+  contents: read
+
 jobs:
  e2e-dlb:
    name: e2e-dlb
--- a/.github/workflows/e2e-dsa.yml
+++ b/.github/workflows/e2e-dsa.yml
@ -11,6 +11,9 @@ on:
 env:
  IMAGES: 'intel-dsa-plugin intel-idxd-config-initcontainer accel-config-demo'

+permissions:
+  contents: read
+
 jobs:
  e2e-dsa:
    name: e2e-dsa
--- a/.github/workflows/e2e-fpga.yml
+++ b/.github/workflows/e2e-fpga.yml
@ -11,6 +11,9 @@ on:
 env:
  IMAGES: 'intel-fpga-plugin intel-fpga-initcontainer intel-fpga-admissionwebhook opae-nlb-demo'

+permissions:
+  contents: read
+
 jobs:
  e2e-fpga:
    name: e2e-fpga
--- a/.github/workflows/e2e-gpu.yml
+++ b/.github/workflows/e2e-gpu.yml
@ -11,6 +11,9 @@ on:
 env:
  IMAGES: 'intel-gpu-plugin intel-gpu-initcontainer'

+permissions:
+  contents: read
+
 jobs:
  e2e-gpu:
    name: e2e-gpu
--- a/.github/workflows/e2e-iaa.yml
+++ b/.github/workflows/e2e-iaa.yml
@ -11,6 +11,9 @@ on:
 env:
  IMAGES: 'intel-iaa-plugin intel-idxd-config-initcontainer accel-config-demo'

+permissions:
+  contents: read
+
 jobs:
  e2e-iaa:
    name: e2e-iaa
--- a/.github/workflows/e2e-qat.yml
+++ b/.github/workflows/e2e-qat.yml
@ -11,6 +11,9 @@ on:
 env:
  IMAGES: 'intel-qat-plugin intel-qat-initcontainer crypto-perf'

+permissions:
+  contents: read
+
 jobs:
  e2e-qat:
    name: e2e-qat
--- a/.github/workflows/e2e-sgx.yml
+++ b/.github/workflows/e2e-sgx.yml
@ -11,6 +11,9 @@ on:
 env:
  IMAGES: 'intel-sgx-plugin intel-sgx-initcontainer intel-sgx-admissionwebhook'

+permissions:
+  contents: read
+
 jobs:
  e2e-sgx:
    name: e2e-sgx
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@ -8,9 +8,14 @@ on:
        - release-0.23
        - release-0.24

+permissions:
+  contents: read
+
 jobs:
  build:

+    permissions:
+      contents: write  # for Git to git push
    runs-on: ubuntu-latest

    steps: