From 25985e6504b6bce83698db7a14c5fbb3e9ee0090 Mon Sep 17 00:00:00 2001 From: Vasilii Ilichev Date: Tue, 23 Jan 2024 20:43:24 +0700 Subject: [PATCH 1/3] test --- .github/workflows/test.yaml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/test.yaml diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 000000000..8eb62197d --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,20 @@ +name: "test" +on: + push: + branches: + - infra/fix-permissions-for-checkout +permissions: + contents: read + checks: write + pull-requests: write + +jobs: + checkout-code: + runs-on: ubuntu-latest + steps: + - name: Checking out code + uses: actions/checkout@v4 + - name: pwd + run: pwd + - name: list files + run: ls -lah \ No newline at end of file From 73aa34f709cfa58ec290ac1e73e8365bcbe65b6f Mon Sep 17 00:00:00 2001 From: Vasilii Ilichev Date: Tue, 23 Jan 2024 20:52:38 +0700 Subject: [PATCH 2/3] added permissions for checkout --- .github/workflows/backend.yml | 3 ++- .github/workflows/branch-deploy.yml | 4 ++++ .github/workflows/branch-remove.yml | 4 ++++ .github/workflows/build-public-image.yml | 4 ++++ .github/workflows/codeql-analysis.yml | 5 +++++ .github/workflows/cve.yaml | 6 ++++++ .github/workflows/documentation.yaml | 6 ++++++ .github/workflows/e2e-automation.yml | 5 +++++ .github/workflows/e2e-checks.yaml | 5 ++++- .github/workflows/e2e-manual.yml | 5 +++++ .github/workflows/e2e-weekly.yml | 5 +++++ .github/workflows/frontend.yaml | 4 +++- .github/workflows/master.yaml | 5 +++++ .github/workflows/release-serde-api.yaml | 5 +++++ .github/workflows/release.yaml | 5 +++++ .../workflows/separate_env_public_create.yml | 5 +++++ .github/workflows/test.yaml | 20 ------------------- .github/workflows/workflow_linter.yaml | 6 ++++++ 18 files changed, 79 insertions(+), 23 deletions(-) delete mode 100644 .github/workflows/test.yaml diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index b16862117..8e4d6aed2 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -8,9 +8,10 @@ on: paths: - "kafka-ui-api/**" - "pom.xml" -permissions: +permissions: # TODO remove when public checks: write pull-requests: write + contents: read jobs: build-and-test: runs-on: ubuntu-latest diff --git a/.github/workflows/branch-deploy.yml b/.github/workflows/branch-deploy.yml index 1d6e9b920..5763106b9 100644 --- a/.github/workflows/branch-deploy.yml +++ b/.github/workflows/branch-deploy.yml @@ -4,6 +4,10 @@ on: pull_request: types: ['labeled'] +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read jobs: build: if: ${{ github.event.label.name == 'status/feature_testing' || github.event.label.name == 'status/feature_testing_public' }} diff --git a/.github/workflows/branch-remove.yml b/.github/workflows/branch-remove.yml index 596f5542c..52c998657 100644 --- a/.github/workflows/branch-remove.yml +++ b/.github/workflows/branch-remove.yml @@ -3,6 +3,10 @@ on: workflow_dispatch: pull_request: types: ['unlabeled', 'closed'] +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read jobs: remove: runs-on: ubuntu-latest diff --git a/.github/workflows/build-public-image.yml b/.github/workflows/build-public-image.yml index 935c742b5..d92fcb218 100644 --- a/.github/workflows/build-public-image.yml +++ b/.github/workflows/build-public-image.yml @@ -3,6 +3,10 @@ on: workflow_dispatch: pull_request: types: ['labeled'] +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read jobs: build: if: ${{ github.event.label.name == 'status/image_testing' }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 251ba31bf..bef80c4bd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,6 +25,11 @@ on: schedule: - cron: '39 15 * * 6' +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/cve.yaml b/.github/workflows/cve.yaml index 32b2302cd..74ae6ae34 100644 --- a/.github/workflows/cve.yaml +++ b/.github/workflows/cve.yaml @@ -4,6 +4,12 @@ on: schedule: # * is a special character in YAML so you have to quote this string - cron: '0 8 15 * *' + +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build-and-test: runs-on: ubuntu-latest diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index b87692f55..d9d75c77e 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -8,6 +8,12 @@ on: - synchronize paths: - '**.md' + +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build-and-test: runs-on: ubuntu-latest diff --git a/.github/workflows/e2e-automation.yml b/.github/workflows/e2e-automation.yml index 9f379458e..5780775e1 100644 --- a/.github/workflows/e2e-automation.yml +++ b/.github/workflows/e2e-automation.yml @@ -16,6 +16,11 @@ on: required: false type: string +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build-and-test: runs-on: ubuntu-latest diff --git a/.github/workflows/e2e-checks.yaml b/.github/workflows/e2e-checks.yaml index 0f0919ab8..f7aeae419 100644 --- a/.github/workflows/e2e-checks.yaml +++ b/.github/workflows/e2e-checks.yaml @@ -8,8 +8,11 @@ on: - "kafka-ui-react-app/**" - "kafka-ui-e2e-checks/**" - "pom.xml" -permissions: +permissions: # TODO remove when public statuses: write + checks: write + pull-requests: write + contents: read jobs: build-and-test: runs-on: ubuntu-latest diff --git a/.github/workflows/e2e-manual.yml b/.github/workflows/e2e-manual.yml index e042aa8c2..c204a70d5 100644 --- a/.github/workflows/e2e-manual.yml +++ b/.github/workflows/e2e-manual.yml @@ -15,6 +15,11 @@ on: required: true type: string +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build-and-test: runs-on: ubuntu-latest diff --git a/.github/workflows/e2e-weekly.yml b/.github/workflows/e2e-weekly.yml index bee953f6b..7ed07c57a 100644 --- a/.github/workflows/e2e-weekly.yml +++ b/.github/workflows/e2e-weekly.yml @@ -3,6 +3,11 @@ on: schedule: - cron: '0 1 * * 1' +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build-and-test: runs-on: ubuntu-latest diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml index a0fc5a6c3..cae3ca555 100644 --- a/.github/workflows/frontend.yaml +++ b/.github/workflows/frontend.yaml @@ -8,9 +8,11 @@ on: paths: - "kafka-ui-contract/**" - "kafka-ui-react-app/**" -permissions: +permissions: # TODO remove when public checks: write pull-requests: write + contents: read + jobs: build-and-test: env: diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 15a15e9a6..3785dca4b 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -4,6 +4,11 @@ on: push: branches: [ "main" ] +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/release-serde-api.yaml b/.github/workflows/release-serde-api.yaml index e8c31695e..35b549bdc 100644 --- a/.github/workflows/release-serde-api.yaml +++ b/.github/workflows/release-serde-api.yaml @@ -1,6 +1,11 @@ name: "Infra: Release: Serde API" on: workflow_dispatch +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: release-serde-api: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7f098e702..d63bb88db 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,6 +3,11 @@ on: release: types: [published] +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: release: runs-on: ubuntu-latest diff --git a/.github/workflows/separate_env_public_create.yml b/.github/workflows/separate_env_public_create.yml index da410b58f..c3d0715d2 100644 --- a/.github/workflows/separate_env_public_create.yml +++ b/.github/workflows/separate_env_public_create.yml @@ -7,6 +7,11 @@ on: required: true default: 'demo' +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml deleted file mode 100644 index 8eb62197d..000000000 --- a/.github/workflows/test.yaml +++ /dev/null @@ -1,20 +0,0 @@ -name: "test" -on: - push: - branches: - - infra/fix-permissions-for-checkout -permissions: - contents: read - checks: write - pull-requests: write - -jobs: - checkout-code: - runs-on: ubuntu-latest - steps: - - name: Checking out code - uses: actions/checkout@v4 - - name: pwd - run: pwd - - name: list files - run: ls -lah \ No newline at end of file diff --git a/.github/workflows/workflow_linter.yaml b/.github/workflows/workflow_linter.yaml index ead898cf0..f9dfe7e87 100644 --- a/.github/workflows/workflow_linter.yaml +++ b/.github/workflows/workflow_linter.yaml @@ -8,6 +8,12 @@ on: - "edited" paths: - ".github/workflows/**" + +permissions: # TODO remove when public + checks: write + pull-requests: write + contents: read + jobs: build-and-test: runs-on: ubuntu-latest From fb047df6ad8b88a24067e41b95677dcbe53abc11 Mon Sep 17 00:00:00 2001 From: Vasilii Ilichev Date: Tue, 23 Jan 2024 23:01:37 +0700 Subject: [PATCH 3/3] fixed permissions --- .github/workflows/branch-deploy.yml | 6 ++---- .github/workflows/branch-remove.yml | 6 ++---- .github/workflows/build-public-image.yml | 6 ++---- .github/workflows/codeql-analysis.yml | 8 ++------ .github/workflows/cve.yaml | 7 ++----- .github/workflows/documentation.yaml | 7 ++----- .github/workflows/e2e-automation.yml | 7 ++----- .github/workflows/e2e-checks.yaml | 2 -- .github/workflows/e2e-manual.yml | 7 ++----- .github/workflows/e2e-weekly.yml | 7 ++----- .github/workflows/frontend.yaml | 6 ++---- .github/workflows/master.yaml | 7 ++----- .github/workflows/release-serde-api.yaml | 7 ++----- .github/workflows/release.yaml | 7 ++----- .github/workflows/separate_env_public_create.yml | 7 ++----- .github/workflows/workflow_linter.yaml | 7 ++----- 16 files changed, 30 insertions(+), 74 deletions(-) diff --git a/.github/workflows/branch-deploy.yml b/.github/workflows/branch-deploy.yml index 5763106b9..c2e8b8ef9 100644 --- a/.github/workflows/branch-deploy.yml +++ b/.github/workflows/branch-deploy.yml @@ -4,14 +4,12 @@ on: pull_request: types: ['labeled'] -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: build: if: ${{ github.event.label.name == 'status/feature_testing' || github.event.label.name == 'status/feature_testing_public' }} runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/branch-remove.yml b/.github/workflows/branch-remove.yml index 52c998657..00b329167 100644 --- a/.github/workflows/branch-remove.yml +++ b/.github/workflows/branch-remove.yml @@ -3,13 +3,11 @@ on: workflow_dispatch: pull_request: types: ['unlabeled', 'closed'] -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: remove: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read if: ${{ (github.event.label.name == 'status/feature_testing' || github.event.label.name == 'status/feature_testing_public') || (github.event.action == 'closed' && (contains(github.event.pull_request.labels.*.name, 'status/feature_testing') || contains(github.event.pull_request.labels.*.name, 'status/feature_testing_public'))) }} steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/build-public-image.yml b/.github/workflows/build-public-image.yml index d92fcb218..9cfa873b6 100644 --- a/.github/workflows/build-public-image.yml +++ b/.github/workflows/build-public-image.yml @@ -3,14 +3,12 @@ on: workflow_dispatch: pull_request: types: ['labeled'] -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: build: if: ${{ github.event.label.name == 'status/image_testing' }} runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index bef80c4bd..21c8ee72a 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -25,16 +25,12 @@ on: schedule: - cron: '39 15 * * 6' -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read - jobs: analyze: name: Analyze runs-on: ubuntu-latest - + permissions: # TODO remove when public + contents: read strategy: fail-fast: false matrix: diff --git a/.github/workflows/cve.yaml b/.github/workflows/cve.yaml index 74ae6ae34..e4433c35e 100644 --- a/.github/workflows/cve.yaml +++ b/.github/workflows/cve.yaml @@ -4,15 +4,12 @@ on: schedule: # * is a special character in YAML so you have to quote this string - cron: '0 8 15 * *' - -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: build-and-test: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml index d9d75c77e..1271b8287 100644 --- a/.github/workflows/documentation.yaml +++ b/.github/workflows/documentation.yaml @@ -9,14 +9,11 @@ on: paths: - '**.md' -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read - jobs: build-and-test: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/e2e-automation.yml b/.github/workflows/e2e-automation.yml index 5780775e1..1ccc2e340 100644 --- a/.github/workflows/e2e-automation.yml +++ b/.github/workflows/e2e-automation.yml @@ -15,15 +15,12 @@ on: description: 'Set Qase token to enable integration' required: false type: string - -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: build-and-test: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/e2e-checks.yaml b/.github/workflows/e2e-checks.yaml index f7aeae419..ff336ac28 100644 --- a/.github/workflows/e2e-checks.yaml +++ b/.github/workflows/e2e-checks.yaml @@ -10,8 +10,6 @@ on: - "pom.xml" permissions: # TODO remove when public statuses: write - checks: write - pull-requests: write contents: read jobs: build-and-test: diff --git a/.github/workflows/e2e-manual.yml b/.github/workflows/e2e-manual.yml index c204a70d5..0e80ccf33 100644 --- a/.github/workflows/e2e-manual.yml +++ b/.github/workflows/e2e-manual.yml @@ -14,15 +14,12 @@ on: description: 'Set Qase token to enable integration' required: true type: string - -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: build-and-test: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/e2e-weekly.yml b/.github/workflows/e2e-weekly.yml index 7ed07c57a..671fcac67 100644 --- a/.github/workflows/e2e-weekly.yml +++ b/.github/workflows/e2e-weekly.yml @@ -3,14 +3,11 @@ on: schedule: - cron: '0 1 * * 1' -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read - jobs: build-and-test: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/frontend.yaml b/.github/workflows/frontend.yaml index cae3ca555..b8d430d36 100644 --- a/.github/workflows/frontend.yaml +++ b/.github/workflows/frontend.yaml @@ -8,10 +8,6 @@ on: paths: - "kafka-ui-contract/**" - "kafka-ui-react-app/**" -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: build-and-test: @@ -19,6 +15,8 @@ jobs: CI: true NODE_ENV: dev runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/master.yaml b/.github/workflows/master.yaml index 3785dca4b..5721bbc63 100644 --- a/.github/workflows/master.yaml +++ b/.github/workflows/master.yaml @@ -3,15 +3,12 @@ on: workflow_dispatch: push: branches: [ "main" ] - -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read jobs: build: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/release-serde-api.yaml b/.github/workflows/release-serde-api.yaml index 35b549bdc..9d0012778 100644 --- a/.github/workflows/release-serde-api.yaml +++ b/.github/workflows/release-serde-api.yaml @@ -1,14 +1,11 @@ name: "Infra: Release: Serde API" on: workflow_dispatch -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read - jobs: release-serde-api: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d63bb88db..5a6a0d327 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,14 +3,11 @@ on: release: types: [published] -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read - jobs: release: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read outputs: version: ${{steps.build.outputs.version}} steps: diff --git a/.github/workflows/separate_env_public_create.yml b/.github/workflows/separate_env_public_create.yml index c3d0715d2..022b66792 100644 --- a/.github/workflows/separate_env_public_create.yml +++ b/.github/workflows/separate_env_public_create.yml @@ -7,14 +7,11 @@ on: required: true default: 'demo' -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read - jobs: build: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/workflow_linter.yaml b/.github/workflows/workflow_linter.yaml index f9dfe7e87..c0a05c668 100644 --- a/.github/workflows/workflow_linter.yaml +++ b/.github/workflows/workflow_linter.yaml @@ -9,14 +9,11 @@ on: paths: - ".github/workflows/**" -permissions: # TODO remove when public - checks: write - pull-requests: write - contents: read - jobs: build-and-test: runs-on: ubuntu-latest + permissions: # TODO remove when public + contents: read steps: - uses: actions/checkout@v4 with: