forked from TrueCloudLab/distribution
Merge pull request #3741 from sashashura/patch-1
GitHub Workflows security hardening
This commit is contained in:
Milos Gajdos
GitHub
commit
0e18af15f8
6 changed files with 25 additions and 0 deletions
6
.github/workflows/build.yml
vendored
6
.github/workflows/build.yml
vendored
|
|
@ -16,6 +16,9 @@ on:
|
||||||
env:
|
env:
|
||||||
DOCKERHUB_SLUG: distribution/distribution
|
DOCKERHUB_SLUG: distribution/distribution
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read # to fetch code (actions/checkout)
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
@ -45,6 +48,9 @@ jobs:
|
||||||
directory: ./
|
directory: ./
|
||||||
|
|
||||||
build:
|
build:
|
||||||
|
permissions:
|
||||||
|
contents: write # to create GitHub release (softprops/action-gh-release)
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs:
|
needs:
|
||||||
- test
|
- test
|
||||||
|
|
|
||||||
7
.github/workflows/codeql-analysis.yml
vendored
7
.github/workflows/codeql-analysis.yml
vendored
|
|
@ -15,8 +15,15 @@ on:
|
||||||
- 'v*'
|
- 'v*'
|
||||||
pull_request:
|
pull_request:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read # to fetch code (actions/checkout)
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
analyze:
|
analyze:
|
||||||
|
permissions:
|
||||||
|
contents: read # to fetch code (actions/checkout)
|
||||||
|
security-events: write # to upload SARIF results (github/codeql-action/analyze)
|
||||||
|
|
||||||
name: Analyze
|
name: Analyze
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
strategy:
|
||||||
|
|
|
||||||
3
.github/workflows/conformance.yml
vendored
3
.github/workflows/conformance.yml
vendored
|
|
@ -8,6 +8,9 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
push:
|
push:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read # to fetch code (actions/checkout)
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
run-conformance-test:
|
run-conformance-test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
|
||||||
3
.github/workflows/e2e.yml
vendored
3
.github/workflows/e2e.yml
vendored
|
|
@ -11,6 +11,9 @@ on:
|
||||||
- 'release/*'
|
- 'release/*'
|
||||||
pull_request:
|
pull_request:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read # to fetch code (actions/checkout)
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
run-e2e-test:
|
run-e2e-test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
|
||||||
3
.github/workflows/fossa.yml
vendored
3
.github/workflows/fossa.yml
vendored
|
|
@ -8,6 +8,9 @@ on:
|
||||||
- pull_request
|
- pull_request
|
||||||
- push
|
- push
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read # to fetch code (actions/checkout)
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
scan-license:
|
scan-license:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
|
||||||
3
.github/workflows/validate.yml
vendored
3
.github/workflows/validate.yml
vendored
|
|
@ -13,6 +13,9 @@ on:
|
||||||
- 'v*'
|
- 'v*'
|
||||||
pull_request:
|
pull_request:
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read # to fetch code (actions/checkout)
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
validate:
|
validate:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue