From 7438c8875b96fc8a001a69b2806ef5d806f9fbb3 Mon Sep 17 00:00:00 2001 From: Ryan Cooke Date: Fri, 29 Nov 2024 15:12:40 +0000 Subject: [PATCH 1/3] Explicitly set GITHUB_TOKEN permissions for yocto workflow Changelog-entry: Explicitly set GITHUB_TOKEN permissions for yocto workflow Signed-off-by: Ryan Cooke --- .github/workflows/genericx86-64.yml | 7 +++++++ .github/workflows/intel-nuc.yml | 7 +++++++ .github/workflows/surface-go.yml | 7 +++++++ .github/workflows/surface-pro-6.yml | 7 +++++++ 4 files changed, 28 insertions(+) diff --git a/.github/workflows/genericx86-64.yml b/.github/workflows/genericx86-64.yml index 78db650e..28b29e5e 100644 --- a/.github/workflows/genericx86-64.yml +++ b/.github/workflows/genericx86-64.yml @@ -31,6 +31,13 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto diff --git a/.github/workflows/intel-nuc.yml b/.github/workflows/intel-nuc.yml index 176c09e6..a19098da 100644 --- a/.github/workflows/intel-nuc.yml +++ b/.github/workflows/intel-nuc.yml @@ -31,6 +31,13 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto diff --git a/.github/workflows/surface-go.yml b/.github/workflows/surface-go.yml index f39d3e02..59feea07 100644 --- a/.github/workflows/surface-go.yml +++ b/.github/workflows/surface-go.yml @@ -31,6 +31,13 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto diff --git a/.github/workflows/surface-pro-6.yml b/.github/workflows/surface-pro-6.yml index 42c1ff01..5259d97a 100644 --- a/.github/workflows/surface-pro-6.yml +++ b/.github/workflows/surface-pro-6.yml @@ -31,6 +31,13 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto From 525dc1e590044680a189af03bd4095b3db08d777 Mon Sep 17 00:00:00 2001 From: Ryan Cooke Date: Fri, 29 Nov 2024 15:14:08 +0000 Subject: [PATCH 2/3] Pin yocto workflow to master Signed-off-by: Ryan Cooke --- .github/workflows/genericx86-64.yml | 2 +- .github/workflows/intel-nuc.yml | 2 +- .github/workflows/surface-go.yml | 2 +- .github/workflows/surface-pro-6.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/genericx86-64.yml b/.github/workflows/genericx86-64.yml index 28b29e5e..b1ce962d 100644 --- a/.github/workflows/genericx86-64.yml +++ b/.github/workflows/genericx86-64.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@05b373abd099d1862fdff51e96b0122940505756 # v1.27.15 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/intel-nuc.yml b/.github/workflows/intel-nuc.yml index a19098da..b68f7fbb 100644 --- a/.github/workflows/intel-nuc.yml +++ b/.github/workflows/intel-nuc.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@05b373abd099d1862fdff51e96b0122940505756 # v1.27.15 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/surface-go.yml b/.github/workflows/surface-go.yml index 59feea07..4f558868 100644 --- a/.github/workflows/surface-go.yml +++ b/.github/workflows/surface-go.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@05b373abd099d1862fdff51e96b0122940505756 # v1.27.15 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/surface-pro-6.yml b/.github/workflows/surface-pro-6.yml index 5259d97a..581f2344 100644 --- a/.github/workflows/surface-pro-6.yml +++ b/.github/workflows/surface-pro-6.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@05b373abd099d1862fdff51e96b0122940505756 # v1.27.15 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while From 622778d27bbb8964093856c6aaf1055518ef94d9 Mon Sep 17 00:00:00 2001 From: Ryan Cooke Date: Fri, 29 Nov 2024 15:14:52 +0000 Subject: [PATCH 3/3] re-enable PRT triggers Signed-off-by: Ryan Cooke --- .github/workflows/genericx86-64.yml | 8 ++++---- .github/workflows/intel-nuc.yml | 8 ++++---- .github/workflows/surface-go.yml | 8 ++++---- .github/workflows/surface-pro-6.yml | 8 ++++---- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/genericx86-64.yml b/.github/workflows/genericx86-64.yml index b1ce962d..f37d30e3 100644 --- a/.github/workflows/genericx86-64.yml +++ b/.github/workflows/genericx86-64.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern - 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/intel-nuc.yml b/.github/workflows/intel-nuc.yml index b68f7fbb..2ce459aa 100644 --- a/.github/workflows/intel-nuc.yml +++ b/.github/workflows/intel-nuc.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern - 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/surface-go.yml b/.github/workflows/surface-go.yml index 4f558868..b3d0c63b 100644 --- a/.github/workflows/surface-go.yml +++ b/.github/workflows/surface-go.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern # - 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/surface-pro-6.yml b/.github/workflows/surface-pro-6.yml index 581f2344..bd69a6fd 100644 --- a/.github/workflows/surface-pro-6.yml +++ b/.github/workflows/surface-pro-6.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern # - 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)