From 6bdab33fc5b7de2f2ace286965eb07b077801373 Mon Sep 17 00:00:00 2001 From: Ryan Cooke Date: Fri, 29 Nov 2024 16:41:05 +0000 Subject: [PATCH] Explicitly set GITHUB_TOKEN permissions for yocto workflow Changelog-entry: Explicitly set GITHUB_TOKEN permissions for yocto workflow Signed-off-by: Ryan Cooke --- .github/workflows/astro-tx2.yml | 6 ++++++ .github/workflows/blackboard-tx2.yml | 6 ++++++ .github/workflows/cnx100-xavier-nx.yml | 7 +++++++ .github/workflows/floyd-nano.yml | 6 ++++++ .github/workflows/jetson-nano-2gb-devkit.yml | 6 ++++++ .github/workflows/jetson-nano-emmc.yml | 6 ++++++ .github/workflows/jetson-nano.yml | 6 ++++++ .github/workflows/jetson-tx1.yml | 6 ++++++ .github/workflows/jetson-tx2-nx-devkit.yml | 6 ++++++ .github/workflows/jetson-tx2.yml | 6 ++++++ .../workflows/jetson-xavier-nx-devkit-seeed-2mic-hat.yml | 6 ++++++ .github/workflows/jn30b-nano.yml | 6 ++++++ .github/workflows/n310-tx2.yml | 6 ++++++ .github/workflows/n510-tx2.yml | 6 ++++++ .github/workflows/orbitty-tx2.yml | 6 ++++++ .github/workflows/photon-nano.yml | 6 ++++++ .github/workflows/photon-tx2-nx.yml | 6 ++++++ .github/workflows/photon-xavier-nx.yml | 6 ++++++ .github/workflows/spacely-tx2.yml | 6 ++++++ 19 files changed, 115 insertions(+) diff --git a/.github/workflows/astro-tx2.yml b/.github/workflows/astro-tx2.yml index af1c7fde0..593543081 100644 --- a/.github/workflows/astro-tx2.yml +++ b/.github/workflows/astro-tx2.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/blackboard-tx2.yml b/.github/workflows/blackboard-tx2.yml index ccecff917..e4a177567 100644 --- a/.github/workflows/blackboard-tx2.yml +++ b/.github/workflows/blackboard-tx2.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/cnx100-xavier-nx.yml b/.github/workflows/cnx100-xavier-nx.yml index 156034a8e..be178ed46 100644 --- a/.github/workflows/cnx100-xavier-nx.yml +++ b/.github/workflows/cnx100-xavier-nx.yml @@ -36,6 +36,13 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto diff --git a/.github/workflows/floyd-nano.yml b/.github/workflows/floyd-nano.yml index efb8e3826..acc40b08f 100644 --- a/.github/workflows/floyd-nano.yml +++ b/.github/workflows/floyd-nano.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jetson-nano-2gb-devkit.yml b/.github/workflows/jetson-nano-2gb-devkit.yml index 806a2ab55..6caf1ede8 100644 --- a/.github/workflows/jetson-nano-2gb-devkit.yml +++ b/.github/workflows/jetson-nano-2gb-devkit.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jetson-nano-emmc.yml b/.github/workflows/jetson-nano-emmc.yml index 430078c43..e2d6b5ac2 100644 --- a/.github/workflows/jetson-nano-emmc.yml +++ b/.github/workflows/jetson-nano-emmc.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jetson-nano.yml b/.github/workflows/jetson-nano.yml index 8253f49b5..e39869de1 100644 --- a/.github/workflows/jetson-nano.yml +++ b/.github/workflows/jetson-nano.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jetson-tx1.yml b/.github/workflows/jetson-tx1.yml index c93c57fec..f0dddf3d4 100644 --- a/.github/workflows/jetson-tx1.yml +++ b/.github/workflows/jetson-tx1.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jetson-tx2-nx-devkit.yml b/.github/workflows/jetson-tx2-nx-devkit.yml index 86300e3f5..e197ae3a4 100644 --- a/.github/workflows/jetson-tx2-nx-devkit.yml +++ b/.github/workflows/jetson-tx2-nx-devkit.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jetson-tx2.yml b/.github/workflows/jetson-tx2.yml index 8364ec616..0889cb588 100644 --- a/.github/workflows/jetson-tx2.yml +++ b/.github/workflows/jetson-tx2.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jetson-xavier-nx-devkit-seeed-2mic-hat.yml b/.github/workflows/jetson-xavier-nx-devkit-seeed-2mic-hat.yml index 8bb93c75d..3cda10e1f 100644 --- a/.github/workflows/jetson-xavier-nx-devkit-seeed-2mic-hat.yml +++ b/.github/workflows/jetson-xavier-nx-devkit-seeed-2mic-hat.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/jn30b-nano.yml b/.github/workflows/jn30b-nano.yml index dfc8c24ca..173ea2537 100644 --- a/.github/workflows/jn30b-nano.yml +++ b/.github/workflows/jn30b-nano.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/n310-tx2.yml b/.github/workflows/n310-tx2.yml index f6ab9a7a0..054f6ef87 100644 --- a/.github/workflows/n310-tx2.yml +++ b/.github/workflows/n310-tx2.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/n510-tx2.yml b/.github/workflows/n510-tx2.yml index 9f5973361..e94d3b377 100644 --- a/.github/workflows/n510-tx2.yml +++ b/.github/workflows/n510-tx2.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/orbitty-tx2.yml b/.github/workflows/orbitty-tx2.yml index b50e26a70..5ecc5d2a6 100644 --- a/.github/workflows/orbitty-tx2.yml +++ b/.github/workflows/orbitty-tx2.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/photon-nano.yml b/.github/workflows/photon-nano.yml index d23db4e59..16bcc3ab8 100644 --- a/.github/workflows/photon-nano.yml +++ b/.github/workflows/photon-nano.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/photon-tx2-nx.yml b/.github/workflows/photon-tx2-nx.yml index 299dfd8b0..5f1af7563 100644 --- a/.github/workflows/photon-tx2-nx.yml +++ b/.github/workflows/photon-tx2-nx.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/photon-xavier-nx.yml b/.github/workflows/photon-xavier-nx.yml index 728d370a6..86b4e605b 100644 --- a/.github/workflows/photon-xavier-nx.yml +++ b/.github/workflows/photon-xavier-nx.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/spacely-tx2.yml b/.github/workflows/spacely-tx2.yml index b48fbe092..5af5ee9c1 100644 --- a/.github/workflows/spacely-tx2.yml +++ b/.github/workflows/spacely-tx2.yml @@ -36,6 +36,12 @@ on: type: string default: '' +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: