ci: Adjust GitHub workflow permissions

.clomonitor.yml

@@ -0,0 +1,3 @@
+exemptions:
+  - check: analytics
+    reason: "We don't track people"

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/build.yaml

@@ -10,10 +10,10 @@ on:
       - main
 
 permissions:
-  contents: read # for actions/checkout to fetch code
+  contents: read
 
 jobs:
-  container:
+  build-flagger:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout

.github/workflows/e2e.yaml

@@ -10,10 +10,10 @@ on:
       - main
 
 permissions:
-  contents: read # for actions/checkout to fetch code
+  contents: read
 
 jobs:
-  kind:
+  e2e-test:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false

.github/workflows/helm.yaml

@@ -4,11 +4,13 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: write # needed to push chart
+  contents: read
 
 jobs:
-  build-push:
+  release-charts:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v2
       - name: Publish Helm charts

.github/workflows/push-ld.yml

@@ -6,12 +6,13 @@ env:
   IMAGE: "ghcr.io/fluxcd/flagger-loadtester"
 
 permissions:
-  contents: write # needed to write releases
-  packages: write # needed for ghcr access
+  contents: read
 
 jobs:
-  build-push:
+  release-load-tester:
     runs-on: ubuntu-latest
+    permissions:
+      packages: write
     steps:
       - uses: actions/checkout@v2
       - name: Prepare

.github/workflows/release.yml

@@ -5,16 +5,18 @@ on:
       - 'v*'
 
 permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for ghcr access
+  contents: read
 
 env:
   IMAGE: "ghcr.io/fluxcd/${{ github.event.repository.name }}"
 
 jobs:
-  build-push:
+  release-flagger:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
     steps:
       - uses: actions/checkout@v2
       - uses: sigstore/cosign-installer@main

.github/workflows/scan.yml

@@ -9,13 +9,13 @@ on:
     - cron: '18 10 * * 3'
 
 permissions:
-  contents: read # for actions/checkout to fetch code
-  security-events: write # for codeQL to write security events
+  contents: read
 
 jobs:
-  fossa:
-    name: FOSSA
+  scan-fossa:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - uses: actions/checkout@v2
       - name: Run FOSSA scan and upload build data
@@ -24,10 +24,10 @@ jobs:
           # FOSSA Push-Only API Token
           fossa-api-key: 5ee8bf422db1471e0bcf2bcb289185de
           github-token: ${{ github.token }}
-
-  codeql:
-    name: CodeQL
+  scan-codeql:
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2

README.md

@@ -2,9 +2,7 @@
 
 [![release](https://img.shields.io/github/release/fluxcd/flagger/all.svg)](https://github.com/fluxcd/flagger/releases)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4783/badge)](https://bestpractices.coreinfrastructure.org/projects/4783)
-[![build](https://github.com/fluxcd/flagger/workflows/build/badge.svg)](https://github.com/fluxcd/flagger/actions)
 [![report](https://goreportcard.com/badge/github.com/fluxcd/flagger)](https://goreportcard.com/report/github.com/fluxcd/flagger)
-[![license](https://img.shields.io/github/license/fluxcd/flagger.svg)](https://github.com/fluxcd/flagger/blob/main/LICENSE)
 [![FOSSA Status](https://app.fossa.com/api/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflagger.svg?type=shield)](https://app.fossa.com/projects/custom%2B162%2Fgithub.com%2Ffluxcd%2Fflagger?ref=badge_shield)
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/flagger)](https://artifacthub.io/packages/search?repo=flagger)
 
@@ -235,15 +233,15 @@ can be used to implement the request success rate and request duration checks.
 
 #### [GitOps Toolkit](https://github.com/fluxcd/flux2) compatibility
 
-* Migrate Flagger to Kubernetes controller-runtime and [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
-* Make the Canary status compatible with [kstatus](https://github.com/kubernetes-sigs/cli-utils)
-* Make Flagger emit Kubernetes events compatible with Flux v2 notification API
-* Integrate Flagger into Flux v2 as the progressive delivery component
+- Migrate Flagger to Kubernetes controller-runtime and [kubebuilder](https://github.com/kubernetes-sigs/kubebuilder)
+- Make the Canary status compatible with [kstatus](https://github.com/kubernetes-sigs/cli-utils)
+- Make Flagger emit Kubernetes events compatible with Flux v2 notification API
+- Integrate Flagger into Flux v2 as the progressive delivery component
 
 #### Integrations
 
-* Add support for ingress controllers like HAProxy, ALB, and Apache APISIX
-* Add support for Knative Serving
+- Add support for ingress controllers like HAProxy, ALB, and Apache APISIX
+- Add support for Knative Serving
 
 ### Contributing
 
@@ -252,20 +250,29 @@ To start contributing please read the [development guide](https://docs.flagger.a
 
 When submitting bug reports please include as many details as possible:
 
-* which Flagger version
-* which Kubernetes version
-* what configuration (canary, ingress and workloads definitions)
-* what happened (Flagger and Proxy logs)
+- which Flagger version
+- which Kubernetes version
+- what configuration (canary, ingress and workloads definitions)
+- what happened (Flagger and Proxy logs)
 
-### Getting Help
+### Communication
 
-If you have any questions about Flagger and progressive delivery:
+Here is a list of good entry points into our community, how we stay in touch and how you can meet us as a team.
 
-* Read the Flagger [docs](https://docs.flagger.app).
-* Invite yourself to the [CNCF community slack](https://slack.cncf.io/)
-  and join the [#flagger](https://cloud-native.slack.com/messages/flagger/) channel.
-* Check out the **[Flux events calendar](https://fluxcd.io/#calendar)**, both with upcoming talks, events, and meetings you can attend.
-* Or view the **[Flux resources section](https://fluxcd.io/resources)** with past events videos you can watch.
-* File an [issue](https://github.com/fluxcd/flagger/issues/new).
+- Slack: Join in and talk to us in the `#flagger` channel on [CNCF Slack](https://slack.cncf.io/).
+- Meetings: We run weekly, public meetings - join one of the upcoming dev meetings from the [Flux calendar](https://fluxcd.io/#calendar).
+- Blog: Stay up to date with the latest news on [the Flux blog](https://fluxcd.io/blog/).
+- Mailing list: To be updated on Flux and Flagger progress regularly, please [join the flux-dev mailing list](https://lists.cncf.io/g/cncf-flux-dev).
 
-Your feedback is always welcome!
+#### Subscribing to the flux-dev calendar
+
+To add the meetings to your e.g. Google calendar
+
+1. visit the [Flux calendar](https://lists.cncf.io/g/cncf-flux-dev/calendar)
+2. click on "Subscribe to Calendar" at the very bottom of the page
+3. copy the iCalendar URL
+4. open e.g. your Google calendar
+5. find the "add calendar" option
+6. choose "add by URL"
+7. paste iCalendar URL (ends with `.ics`)
+8. done