mirror of
https://github.com/gradle/actions
synced 2024-11-27 11:52:24 +00:00
Limit token permissions in GitHub workflows (#440)
See
ea7e27ed41/docs/checks.md (token-permissions)
This commit is contained in:
parent
af45dcfe3c
commit
07e0f1c008
29 changed files with 129 additions and 17 deletions
3
.github/workflows/ci-codeql.yml
vendored
3
.github/workflows/ci-codeql.yml
vendored
|
@ -16,6 +16,9 @@ on:
|
|||
schedule:
|
||||
- cron: '25 23 * * 2'
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze
|
||||
|
|
3
.github/workflows/ci-init-script-check.yml
vendored
3
.github/workflows/ci-init-script-check.yml
vendored
|
@ -14,6 +14,9 @@ on:
|
|||
- 'sources/test/init-scripts/**'
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
test-init-scripts:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
8
.github/workflows/ci-integ-test-full.yml
vendored
8
.github/workflows/ci-integ-test-full.yml
vendored
|
@ -6,13 +6,13 @@ on:
|
|||
paths:
|
||||
- 'dist/**'
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
concurrency:
|
||||
group: integ-test
|
||||
cancel-in-progress: false
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
caching-integ-tests:
|
||||
uses: ./.github/workflows/suite-integ-test-caching.yml
|
||||
|
@ -25,6 +25,8 @@ jobs:
|
|||
secrets: inherit
|
||||
|
||||
other-integ-tests:
|
||||
permissions:
|
||||
contents: write
|
||||
uses: ./.github/workflows/suite-integ-test-other.yml
|
||||
concurrency:
|
||||
group: CI-integ-test-full
|
||||
|
|
8
.github/workflows/ci-integ-test.yml
vendored
8
.github/workflows/ci-integ-test.yml
vendored
|
@ -11,13 +11,13 @@ on:
|
|||
paths-ignore:
|
||||
- 'dist/**'
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
concurrency:
|
||||
group: integ-test
|
||||
cancel-in-progress: false
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build-distribution:
|
||||
runs-on: ubuntu-latest
|
||||
|
@ -36,6 +36,8 @@ jobs:
|
|||
secrets: inherit
|
||||
|
||||
other-integ-tests:
|
||||
permissions:
|
||||
contents: write
|
||||
needs: build-distribution
|
||||
uses: ./.github/workflows/suite-integ-test-other.yml
|
||||
with:
|
||||
|
|
3
.github/workflows/ci-ossf-scorecard.yml
vendored
3
.github/workflows/ci-ossf-scorecard.yml
vendored
|
@ -6,7 +6,8 @@ on:
|
|||
branches:
|
||||
- main
|
||||
|
||||
permissions: read-all
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
analysis:
|
||||
|
|
4
.github/workflows/ci-update-dist.yml
vendored
4
.github/workflows/ci-update-dist.yml
vendored
|
@ -10,10 +10,12 @@ on:
|
|||
- 'dist/**'
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-dist:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
|
|
3
.github/workflows/ci-validate-wrappers.yml
vendored
3
.github/workflows/ci-validate-wrappers.yml
vendored
|
@ -4,6 +4,9 @@ on:
|
|||
push:
|
||||
pull_request:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
validation:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
3
.github/workflows/demo-job-summary.yml
vendored
3
.github/workflows/demo-job-summary.yml
vendored
|
@ -3,6 +3,9 @@ name: Demo Job Summary, for Gradle builds
|
|||
on:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build-distribution:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -4,7 +4,7 @@ on:
|
|||
types: [assigned, review_requested]
|
||||
|
||||
permissions:
|
||||
pull-requests: write
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build-distribution:
|
||||
|
@ -16,6 +16,8 @@ jobs:
|
|||
uses: ./.github/actions/build-dist
|
||||
|
||||
successful-build-with-always-comment:
|
||||
permissions:
|
||||
pull-requests: write
|
||||
needs: build-distribution
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
@ -34,6 +36,8 @@ jobs:
|
|||
run: ./gradlew build --scan
|
||||
|
||||
successful-build-with-comment-on-failure:
|
||||
permissions:
|
||||
pull-requests: write
|
||||
needs: build-distribution
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
@ -52,6 +56,8 @@ jobs:
|
|||
run: ./gradlew build --scan
|
||||
|
||||
failing-build-with-comment-on-failure:
|
||||
permissions:
|
||||
pull-requests: write
|
||||
needs: build-distribution
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
|
|
@ -17,6 +17,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build-scan-publish:
|
||||
strategy:
|
||||
|
|
|
@ -18,6 +18,9 @@ env:
|
|||
# Requires a fresh cache entry each run
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
cache-cleanup-full-build:
|
||||
strategy:
|
||||
|
|
|
@ -17,6 +17,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
caching-config-seed-build:
|
||||
strategy:
|
||||
|
|
|
@ -13,14 +13,14 @@ on:
|
|||
type: boolean
|
||||
default: false
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
env:
|
||||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
|
||||
GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
dependency-graph-groovy-upload:
|
||||
runs-on: "ubuntu-latest"
|
||||
|
@ -39,6 +39,8 @@ jobs:
|
|||
working-directory: .github/workflow-samples/groovy-dsl
|
||||
|
||||
dependency-graph-groovy-submit:
|
||||
permissions:
|
||||
contents: write
|
||||
needs: [dependency-graph-groovy-upload]
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
|
@ -55,6 +57,8 @@ jobs:
|
|||
DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload
|
||||
|
||||
dependency-graph-kotlin-generate-and-submit:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
|
@ -71,6 +75,8 @@ jobs:
|
|||
working-directory: .github/workflow-samples/kotlin-dsl
|
||||
|
||||
dependency-graph-multiple-builds:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
|
@ -112,6 +118,8 @@ jobs:
|
|||
fi
|
||||
|
||||
dependency-graph-config-cache:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest # Test is not compatible with Windows
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
|
|
|
@ -18,6 +18,9 @@ env:
|
|||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
|
||||
GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
dependency-submission-failures-failing-build:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -13,16 +13,18 @@ on:
|
|||
type: boolean
|
||||
default: false
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
env:
|
||||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
|
||||
GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
dependency-submission-groovy-generate-and-upload:
|
||||
permissions:
|
||||
contents: write
|
||||
strategy:
|
||||
max-parallel: 1
|
||||
fail-fast: false
|
||||
|
@ -45,6 +47,8 @@ jobs:
|
|||
GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
|
||||
|
||||
dependency-submission-groovy-restore-cache:
|
||||
permissions:
|
||||
contents: write
|
||||
needs: [dependency-submission-groovy-generate-and-upload]
|
||||
strategy:
|
||||
max-parallel: 1
|
||||
|
@ -67,6 +71,8 @@ jobs:
|
|||
GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
|
||||
|
||||
dependency-submission-groovy-download-and-submit:
|
||||
permissions:
|
||||
contents: write
|
||||
needs: [dependency-submission-groovy-generate-and-upload]
|
||||
strategy:
|
||||
max-parallel: 1
|
||||
|
@ -88,6 +94,8 @@ jobs:
|
|||
DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}
|
||||
|
||||
dependency-submission-kotlin-generate-and-submit:
|
||||
permissions:
|
||||
contents: write
|
||||
strategy:
|
||||
max-parallel: 1
|
||||
fail-fast: false
|
||||
|
@ -106,6 +114,8 @@ jobs:
|
|||
build-root-directory: .github/workflow-samples/kotlin-dsl
|
||||
|
||||
dependency-submission-multiple-builds:
|
||||
permissions:
|
||||
contents: write
|
||||
strategy:
|
||||
max-parallel: 1
|
||||
fail-fast: false
|
||||
|
@ -152,6 +162,8 @@ jobs:
|
|||
fi
|
||||
|
||||
dependency-submission-multiple-builds-upload:
|
||||
permissions:
|
||||
contents: write
|
||||
strategy:
|
||||
max-parallel: 1
|
||||
fail-fast: false
|
||||
|
@ -176,6 +188,8 @@ jobs:
|
|||
build-root-directory: .github/workflow-samples/groovy-dsl
|
||||
|
||||
dependency-submission-config-cache:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest # Test is not compatible with Windows
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
|
@ -211,6 +225,8 @@ jobs:
|
|||
fi
|
||||
|
||||
dependency-submission-gradle-versions:
|
||||
permissions:
|
||||
contents: write
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
|
@ -235,6 +251,8 @@ jobs:
|
|||
build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
|
||||
|
||||
dependency-submission-with-setup-gradle:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest # Test is not compatible with Windows
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
|
@ -270,6 +288,8 @@ jobs:
|
|||
fi
|
||||
|
||||
dependency-submission-with-includes-and-excludes:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest # Test is not compatible with Windows
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
|
@ -304,6 +324,8 @@ jobs:
|
|||
|
||||
|
||||
dependency-submission-custom-report-dir-submit:
|
||||
permissions:
|
||||
contents: write
|
||||
strategy:
|
||||
max-parallel: 1
|
||||
fail-fast: false
|
||||
|
@ -339,6 +361,8 @@ jobs:
|
|||
fi
|
||||
|
||||
dependency-submission-custom-report-dir-upload:
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout sources
|
||||
|
@ -355,6 +379,8 @@ jobs:
|
|||
build-root-directory: .github/workflow-samples/groovy-dsl
|
||||
|
||||
custom-report-dir-download-and-submit:
|
||||
permissions:
|
||||
contents: write
|
||||
needs: [dependency-submission-custom-report-dir-upload]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
|
|
|
@ -17,6 +17,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
# Test that pre-installed runner JDKs are detected
|
||||
detect-toolchains-pre-installed-jdks:
|
||||
|
|
|
@ -20,6 +20,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
inject-develocity:
|
||||
env:
|
||||
|
|
|
@ -18,6 +18,9 @@ env:
|
|||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
|
||||
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
# Tests for executing with different Gradle versions.
|
||||
# Each build verifies that it is executed with the expected Gradle version.
|
||||
|
|
|
@ -20,6 +20,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
restore-cc-seed-build-groovy:
|
||||
env:
|
||||
|
|
|
@ -14,6 +14,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
restore-containerized-seed-build:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -14,6 +14,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
restore-custom-gradle-home-seed-build:
|
||||
runs-on: ubuntu-latest
|
||||
|
|
|
@ -18,6 +18,9 @@ env:
|
|||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
restore-gradle-home-seed-build:
|
||||
strategy:
|
||||
|
|
|
@ -17,6 +17,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
restore-java-toolchain-seed-build:
|
||||
strategy:
|
||||
|
|
|
@ -17,6 +17,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
sample-gradle-plugin-seed-build:
|
||||
strategy:
|
||||
|
|
|
@ -17,6 +17,9 @@ env:
|
|||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
sample-kotlin-dsl-seed-build:
|
||||
strategy:
|
||||
|
|
|
@ -13,6 +13,9 @@ on:
|
|||
env:
|
||||
SKIP_DIST: ${{ inputs.skip-dist }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
wrapper-validation-setup-gradle:
|
||||
strategy:
|
||||
|
|
|
@ -10,6 +10,9 @@ on:
|
|||
type: boolean
|
||||
default: false
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
cache-cleanup:
|
||||
uses: ./.github/workflows/integ-test-cache-cleanup.yml
|
||||
|
|
3
.github/workflows/suite-integ-test-other.yml
vendored
3
.github/workflows/suite-integ-test-other.yml
vendored
|
@ -10,6 +10,9 @@ on:
|
|||
type: boolean
|
||||
default: false
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
build-scan-publish:
|
||||
uses: ./.github/workflows/integ-test-build-scan-publish.yml
|
||||
|
|
6
.github/workflows/update-checksums-file.yml
vendored
6
.github/workflows/update-checksums-file.yml
vendored
|
@ -7,11 +7,13 @@ on:
|
|||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
contents: read
|
||||
|
||||
jobs:
|
||||
update-checksums:
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
name: Update checksums
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
|
|
Loading…
Reference in a new issue