From 6b2dc8ce566ed5445c64e008a1e7822121a2da09 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Tue, 29 Oct 2024 09:48:47 +0100 Subject: [PATCH] ci: fix workflow permissions Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/build.yml | 5 +++-- .github/workflows/codeql.yml | 4 +--- .github/workflows/docs-release.yml | 3 +++ .github/workflows/labeler.yml | 5 ++--- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 129910fa..229cbb9f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -229,8 +229,6 @@ jobs: permissions: # required to write sarif report security-events: write - # required to check out the repository - contents: read steps: - name: Checkout @@ -404,6 +402,9 @@ jobs: release: runs-on: ubuntu-24.04 + permissions: + # required to create GitHub release + contents: write needs: - test-integration - test-unit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bcc4cad7..fe687f9a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,12 +21,10 @@ env: jobs: codeql: + runs-on: ubuntu-24.04 permissions: actions: read - contents: read security-events: write - - runs-on: ubuntu-24.04 steps: - name: Checkout diff --git a/.github/workflows/docs-release.yml b/.github/workflows/docs-release.yml index 5ac49234..f975ee0c 100644 --- a/.github/workflows/docs-release.yml +++ b/.github/workflows/docs-release.yml @@ -23,6 +23,9 @@ jobs: open-pr: runs-on: ubuntu-24.04 if: ${{ (github.event.release.prerelease != true || github.event.inputs.tag != '') && github.repository == 'docker/buildx' }} + permissions: + contents: write + pull-requests: write steps: - name: Checkout docs repo diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 39ad0fb5..a5bff97e 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -18,10 +18,9 @@ on: jobs: labeler: - permissions: - contents: read - pull-requests: write runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Run