chore: Scoped down workflow permissions (#611)

aws-containers · Aug 16, 2024 · 5b3f349 · 5b3f349
1 parent 7475e8e
commit 5b3f349
Show file tree

Hide file tree

Showing 9 changed files with 406 additions and 382 deletions.
diff --git a/.github/workflows/ci-assets.yml b/.github/workflows/ci-assets.yml
@@ -3,39 +3,42 @@ name: Assets CI
 on:
   push:
     branches:
-    - main
+      - main
     paths:
-    - 'src/assets/**'
+      - "src/assets/**"
   pull_request:
     branches:
-    - main
+      - main
     paths:
-    - 'src/assets/**'
-    - 'images/**'
+      - "src/assets/**"
+      - "images/**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: CI
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code
-      uses: actions/checkout@v3
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v2
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
 
-    - name: Set up QEMU
-      id: qemu
-      uses: docker/setup-qemu-action@v2
-      with:
-        image: tonistiigi/binfmt:latest
-        platforms: all
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
 
-    - name: Set up Docker Buildx
-      id: buildx
-      uses: docker/setup-buildx-action@v2
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v2
 
-    - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v2
-
-    - name: Build container image
-      run: |
-        scripts/build-image.sh -s assets -t ci --actions-cache
+      - name: Build container image
+        run: |
+          scripts/build-image.sh -s assets -t ci
diff --git a/.github/workflows/ci-cart.yml b/.github/workflows/ci-cart.yml
@@ -3,51 +3,54 @@ name: Cart CI
 on:
   push:
     branches:
-    - main
+      - main
     paths:
-    - 'src/cart/**'
+      - "src/cart/**"
   pull_request:
     branches:
-    - main
+      - main
     paths:
-    - 'src/cart/**'
-    - 'images/**'
+      - "src/cart/**"
+      - "images/**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: CI
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Set up JDK
-      uses: actions/setup-java@v3
-      with:
-        distribution: corretto
-        java-version: 17
-
-    - name: Run CI script
-      env:
-        MAVEN_OPTS: "-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn"
-      run: |
-        src/cart/scripts/ci.sh
-
-    - name: Set up QEMU
-      id: qemu
-      uses: docker/setup-qemu-action@v2
-      with:
-        image: tonistiigi/binfmt:latest
-        platforms: all
-
-    - name: Set up Docker Buildx
-      id: buildx
-      uses: docker/setup-buildx-action@v2
-
-    - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v2
-        
-    - name: Build container image
-      run: |
-        scripts/build-image.sh -s cart -t ci --actions-cache
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up JDK
+        uses: actions/setup-java@v3
+        with:
+          distribution: corretto
+          java-version: 17
+
+      - name: Run CI script
+        env:
+          MAVEN_OPTS: "-Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=warn"
+        run: |
+          src/cart/scripts/ci.sh
+
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v2
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v2
+
+      - name: Build container image
+        run: |
+          scripts/build-image.sh -s cart -t ci
diff --git a/.github/workflows/ci-catalog.yml b/.github/workflows/ci-catalog.yml
@@ -3,47 +3,50 @@ name: Catalog CI
 on:
   push:
     branches:
-    - main
+      - main
     paths:
-    - 'src/catalog/**'
+      - "src/catalog/**"
   pull_request:
     branches:
-    - main
+      - main
     paths:
-    - 'src/catalog/**'
-    - 'images/**'
+      - "src/catalog/**"
+      - "images/**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: CI
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - uses: actions/setup-go@v3
-      with:
-        go-version: '^1.18.1'
-
-    - name: Run CI script
-      run: |
-        src/catalog/scripts/ci.sh
-
-    - name: Set up QEMU
-      id: qemu
-      uses: docker/setup-qemu-action@v2
-      with:
-        image: tonistiigi/binfmt:latest
-        platforms: all
-
-    - name: Set up Docker Buildx
-      id: buildx
-      uses: docker/setup-buildx-action@v2
-
-    - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v2
-        
-    - name: Build container image
-      run: |
-        scripts/build-image.sh -s catalog -t ci --actions-cache
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "^1.18.1"
+
+      - name: Run CI script
+        run: |
+          src/catalog/scripts/ci.sh
+
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v2
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v2
+
+      - name: Build container image
+        run: |
+          scripts/build-image.sh -s catalog -t ci
diff --git a/.github/workflows/ci-checkout.yml b/.github/workflows/ci-checkout.yml
@@ -3,48 +3,51 @@ name: Checkout CI
 on:
   push:
     branches:
-    - main
+      - main
     paths:
-    - 'src/checkout/**'
+      - "src/checkout/**"
   pull_request:
     branches:
-    - main
+      - main
     paths:
-    - 'src/checkout/**'
-    - 'images/**'
+      - "src/checkout/**"
+      - "images/**"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: CI
     runs-on: ubuntu-latest
     steps:
-    - name: Check out code
-      uses: actions/checkout@v3
-
-    - name: Set up Nodejs
-      uses: actions/setup-node@v3
-      with:
-        node-version: 16
-
-    - name: Run CI script
-      run: |
-        bash src/checkout/scripts/ci.sh
-
-    - name: Set up QEMU
-      id: qemu
-      uses: docker/setup-qemu-action@v2
-      with:
-        image: tonistiigi/binfmt:latest
-        platforms: all
-
-    - name: Set up Docker Buildx
-      id: buildx
-      uses: docker/setup-buildx-action@v2
-
-    - name: Expose GitHub Runtime
-      uses: crazy-max/ghaction-github-runtime@v2
-        
-    - name: Build container image
-      run: |
-        scripts/build-image.sh -s checkout -t ci --actions-cache
+      - name: Check out code
+        uses: actions/checkout@v3
+
+      - name: Set up Nodejs
+        uses: actions/setup-node@v3
+        with:
+          node-version: 16
+
+      - name: Run CI script
+        run: |
+          bash src/checkout/scripts/ci.sh
+
+      - name: Set up QEMU
+        id: qemu
+        uses: docker/setup-qemu-action@v2
+        with:
+          image: tonistiigi/binfmt:latest
+          platforms: all
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v2
+
+      - name: Build container image
+        run: |
+          scripts/build-image.sh -s checkout -t ci