Skip to content

Commit

Permalink
#15 set top level workflow permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
@kernelsam
kernelsam committed Feb 26, 2024
1 parent d913f0e commit 4bd3ab5
Show file tree
Hide file tree
Showing 14 changed files with 67 additions and 34 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/add-labels-standardized.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,11 @@ on:
- opened
- reopened

permissions:
issues: write

jobs:
add-issue-labels:
permissions:
issues: write
secrets:
ORG_MEMBERSHIP_TOKEN: ${{ secrets.ORG_MEMBERSHIP_TOKEN }}
SENZING_MEMBERS: ${{ secrets.SENZING_MEMBERS }}
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/add-to-project-dependabot.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,10 @@ on:
SENZING_GITHUB_PROJECT_RW_TOKEN:
required: true

jobs:
permissions:
repository-projects: write

jobs:
add-pr-to-project:
if: ${{ github.actor == 'dependabot[bot]' && ( github.event.action == 'opened' || github.event.action == 'reopened') }}
secrets:
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/add-to-project-factory-dependabot.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,11 @@ on:
pull_request:
branches: [main]

permissions:
repository-projects: write

jobs:
add-issue-labels:
add-to-project-dependabot:
secrets:
SENZING_GITHUB_PROJECT_RW_TOKEN: ${{ secrets.SENZING_GITHUB_PROJECT_RW_TOKEN }}
uses: senzing-factory/build-resources/.github/workflows/add-to-project-dependabot.yaml@v1
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/add-to-project-factory.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: add to project factory

on:
issues:
types:
- opened
- reopened

permissions:
repository-projects: write

jobs:
add-to-project:
name: add issue to project
runs-on: ubuntu-latest

steps:
- name: assign issue to project
uses: actions/add-to-project@v0.5.0
with:
github-token: ${{ secrets.SENZING_GITHUB_ACCESS_TOKEN }}
project-url: https://github.com/orgs/${{ vars.SENZING_GITHUB_ACCOUNT_NAME }}/projects/${{ vars.SENZING_PROJECT_FACTORY }}
3 changes: 3 additions & 0 deletions .github/workflows/add-to-project.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ on:
SENZING_GITHUB_PROJECT_RW_TOKEN:
required: false

permissions:
repository-projects: write

jobs:
# Does not support classic projects
add-to-project:
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/approve-and-merge-dependabot.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,12 @@ on:
pull_request:
branches: [main]

permissions:
contents: write
pull-requests: write

jobs:
dependabot-approve-and-merge:
permissions:
contents: write
pull-requests: write
secrets:
SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN: ${{ secrets.SENZING_GITHUB_CODEOWNER_PR_RW_TOKEN }}
uses: senzing-factory/build-resources/.github/workflows/dependabot-approve-and-merge.yaml@v1
7 changes: 4 additions & 3 deletions .github/workflows/docker-push-containers-to-dockerhub-and-ecr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,12 +38,13 @@ on:
DOCKERHUB_USERNAME:
required: true

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
docker-push-containers-to-dockerhub-and-ecr:
runs-on: ubuntu-latest
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

steps:
- name: checkout repository
Expand Down
17 changes: 0 additions & 17 deletions .github/workflows/issue-automation.yaml
View file

This file was deleted.

6 changes: 6 additions & 0 deletions .github/workflows/lint-repo.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@ on:
pull_request:
branches: [main]

permissions:
contents: read
packages: read
pull-requests: read
statuses: write

jobs:
lint-code-base:
uses: senzing-factory/build-resources/.github/workflows/linter.yaml@main
2 changes: 1 addition & 1 deletion .github/workflows/lint-workflows.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ on:
permissions:
contents: read
packages: read
# pull-requests: read
pull-requests: read
statuses: write

jobs:
Expand Down
11 changes: 6 additions & 5 deletions .github/workflows/linter.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,17 @@ on:
required: false
type: boolean

permissions:
contents: read
packages: read
pull-requests: read
statuses: write

jobs:
lint-code-base:
name: lint code base
runs-on: ubuntu-latest

permissions:
contents: read
packages: read
statuses: write

steps:
- name: checkout repository
uses: actions/checkout@v4
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/make-go-github-file.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ on:
SENZING_GITHUB_GPG_PRIVATE_KEY:
required: true

permissions:
contents: write
pull-requests: write

jobs:
make-go-github-file:
name: update cmd/github.go
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/move-pr-to-done-dependabot.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
SENZING_GITHUB_PROJECT_RW_TOKEN:
required: true

permissions:
repository-projects: write

jobs:
move-pr-to-done-column:
if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.event.action == 'closed' }}
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/move-pr-to-done.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,13 +11,16 @@ on:
SENZING_GITHUB_PROJECT_RW_TOKEN:
required: true

permissions:
repository-projects: write

jobs:
move-pr-to-done:
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}

steps:
- name: Mmve PR to done
- name: move PR to done
if: ${{ github.event.pull_request.merged == true }}
uses: alex-page/github-project-automation-plus@v0.9.0
with:
Expand Down

0 comments on commit 4bd3ab5

Please sign in to comment.