diff --git a/.github/workflows/action-build.yml b/.github/workflows/action-build.yml
index 377b6179e..4cd01ccb6 100644
--- a/.github/workflows/action-build.yml
+++ b/.github/workflows/action-build.yml
@@ -30,6 +30,8 @@ on:
type: string
required: false
+permissions: read-all
+
jobs:
build-sign-upload:
permissions:
diff --git a/.github/workflows/action-check.yml b/.github/workflows/action-check.yml
index e9d6d05c5..4aa0802df 100644
--- a/.github/workflows/action-check.yml
+++ b/.github/workflows/action-check.yml
@@ -12,6 +12,8 @@ on:
required: true
type: string
+permissions: read-all
+
jobs:
check:
name: lint on ${{ inputs.os }}
diff --git a/.github/workflows/action-test-image.yml b/.github/workflows/action-test-image.yml
index 987bcd2a7..5fd8a71b6 100644
--- a/.github/workflows/action-test-image.yml
+++ b/.github/workflows/action-test-image.yml
@@ -9,6 +9,8 @@ on:
type: string
default: img
+permissions: read-all
+
jobs:
test-image:
name: build test ${{ inputs.image }}
diff --git a/.github/workflows/action-test-k3s.yml b/.github/workflows/action-test-k3s.yml
index 8ab6137ec..df7541de4 100644
--- a/.github/workflows/action-test-k3s.yml
+++ b/.github/workflows/action-test-k3s.yml
@@ -12,6 +12,8 @@ on:
required: true
type: string
+permissions: read-all
+
jobs:
e2e-k3s:
name: e2e k3s test on ${{ inputs.os }}
diff --git a/.github/workflows/action-test-kind.yml b/.github/workflows/action-test-kind.yml
index 01e0cf391..527557f79 100644
--- a/.github/workflows/action-test-kind.yml
+++ b/.github/workflows/action-test-kind.yml
@@ -18,6 +18,8 @@ on:
type: string
required: true
+permissions: read-all
+
jobs:
e2e-kind:
name: e2e kind test on ${{ inputs.os }} with ${{ inputs.image }}
diff --git a/.github/workflows/action-test-smoke.yml b/.github/workflows/action-test-smoke.yml
index 7025ac4a2..eb7e4b905 100644
--- a/.github/workflows/action-test-smoke.yml
+++ b/.github/workflows/action-test-smoke.yml
@@ -12,6 +12,8 @@ on:
required: true
type: string
+permissions: read-all
+
jobs:
smoke-test:
name: smoke test on ${{ inputs.os }}
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
index 1a8a34492..06785e100 100644
--- a/.github/workflows/benchmarks.yml
+++ b/.github/workflows/benchmarks.yml
@@ -5,16 +5,16 @@ on:
- cron: '0 0 * * *' # Runs daily at midnight
pull_request:
-permissions:
- # deployments permission to deploy GitHub pages website
- deployments: write
- # contents permission to update benchmark contents in gh-pages branch
- contents: write
+permissions: read-all
jobs:
benchmark:
runs-on: ubuntu-latest
-
+ permissions:
+ # deployments permission to deploy GitHub pages website
+ deployments: write
+ # contents permission to update benchmark contents in gh-pages branch
+ contents: write
steps:
- uses: actions/checkout@v4
- uses: actions-rust-lang/setup-rust-toolchain@v1
@@ -48,7 +48,11 @@ jobs:
benchmark-mem:
runs-on: ubuntu-latest
-
+ permissions:
+ # deployments permission to deploy GitHub pages website
+ deployments: write
+ # contents permission to update benchmark contents in gh-pages branch
+ contents: write
steps:
- uses: actions/checkout@v4
- uses: actions-rust-lang/setup-rust-toolchain@v1
@@ -85,7 +89,11 @@ jobs:
benchmark-http:
runs-on: ubuntu-latest
-
+ permissions:
+ # deployments permission to deploy GitHub pages website
+ deployments: write
+ # contents permission to update benchmark contents in gh-pages branch
+ contents: write
steps:
- uses: actions/checkout@v4
- uses: actions-rust-lang/setup-rust-toolchain@v1
@@ -118,7 +126,11 @@ jobs:
benchmark-stress:
runs-on: ubuntu-latest
-
+ permissions:
+ # deployments permission to deploy GitHub pages website
+ deployments: write
+ # contents permission to update benchmark contents in gh-pages branch
+ contents: write
steps:
- uses: actions/checkout@v4
- uses: actions-rust-lang/setup-rust-toolchain@v1
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index ccd94fcde..ccd10c278 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,6 +18,8 @@ on:
env:
CARGO_TERM_COLOR: always
+permissions: read-all
+
jobs:
dependency-review:
runs-on: ubuntu-latest
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 5ddf8c0c8..7a78f30bc 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -7,6 +7,8 @@ on:
branches: [main]
workflow_dispatch:
+permissions: read-all
+
jobs:
changes:
runs-on: ubuntu-22.04
diff --git a/.github/workflows/release-wasi-demo-app.yml b/.github/workflows/release-wasi-demo-app.yml
index 0b16ee4f0..dc646dbed 100644
--- a/.github/workflows/release-wasi-demo-app.yml
+++ b/.github/workflows/release-wasi-demo-app.yml
@@ -19,6 +19,8 @@ env:
CARGO_TERM_COLOR: always
IMAGES: "wasi-demo-app wasi-demo-oci wasi-demo-oci-artifact wasi-demo-http"
+permissions: read-all
+
jobs:
release-wasi-demo:
permissions:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f8ea3bcce..9e265511b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -35,6 +35,8 @@ concurrency:
env:
CARGO_TERM_COLOR: always
+permissions: read-all
+
jobs:
pre-release:
name: pre-release checks
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 6284e4c94..62db7c63d 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -10,6 +10,8 @@ on:
type: string
required: true
+permissions: read-all
+
jobs:
sbom:
name: Generate SBOM, sign and attach them to OCI image
diff --git a/.github/workflows/sign.yml b/.github/workflows/sign.yml
index 09137644a..7b5622070 100644
--- a/.github/workflows/sign.yml
+++ b/.github/workflows/sign.yml
@@ -10,13 +10,14 @@ on:
type: string
required: true
+permissions: read-all
+
jobs:
sign:
name: Sign image
permissions:
- packages: write
- id-token: write
-
+ packages: write # needed to authenticate and interact with the GitHub Container Registry
+ id-token: write # needed for the cosign signing process
runs-on: ubuntu-latest
steps:
- name: Sanitize image name