diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 7cc3e82fc9..d7791101b5 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -11,11 +11,12 @@ on: branches: [main] paths: - .github/** -permissions: {} jobs: default: runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1 diff --git a/.github/workflows/debug-with-action-tmate.yaml b/.github/workflows/debug-with-action-tmate.yaml index 4a70beb54b..35036531de 100644 --- a/.github/workflows/debug-with-action-tmate.yaml +++ b/.github/workflows/debug-with-action-tmate.yaml @@ -10,11 +10,12 @@ on: required: false ref: required: false -permissions: {} jobs: action-tmate: runs-on: ${{inputs.runs-on}} timeout-minutes: 360 + permissions: + contents: read steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index ff3068c73b..aeb5fd7d85 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -19,7 +19,9 @@ jobs: json-schema: ${{steps.changes.outputs.json-schema}} test-docker: ${{steps.changes.outputs.test-docker}} runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read + pull-requests: read timeout-minutes: 15 steps: - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2 @@ -53,7 +55,6 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 10 needs: - - enable-automerge-renovate - renovate-config-validator - check-files - generate-registry @@ -67,14 +68,6 @@ jobs: steps: - run: exit 1 - enable-automerge-renovate: - uses: ./.github/workflows/wc-enable-auto-merge.yaml - if: | - github.event.pull_request.user.login == 'renovate[bot]' && contains(github.event.pull_request.body, ' **Automerge**: Enabled.') - secrets: - gh_app_id: ${{secrets.APP_ID}} - gh_app_private_key: ${{secrets.APP_PRIVATE_KEY}} - renovate-config-validator: uses: ./.github/workflows/wc-renovate-config-validator.yaml needs: path-filter @@ -86,35 +79,49 @@ jobs: uses: ./.github/workflows/wc-check-files.yaml needs: path-filter if: ${{needs.path-filter.outputs.check-files == 'true'}} - permissions: {} + permissions: + contents: read generate-registry: uses: ./.github/workflows/wc-generate-registry.yaml needs: path-filter if: ${{needs.path-filter.outputs.generate-registry == 'true'}} - permissions: {} + permissions: + contents: read json-schema: uses: ./.github/workflows/wc-json-schema.yaml needs: path-filter if: ${{needs.path-filter.outputs.json-schema == 'true'}} - permissions: {} + permissions: + contents: read prettier: uses: ./.github/workflows/wc-prettier.yaml - permissions: {} + permissions: + contents: read test-docker: uses: ./.github/workflows/wc-test-docker.yaml needs: path-filter if: ${{needs.path-filter.outputs.test-docker == 'true'}} + permissions: + contents: read ci-info: uses: ./.github/workflows/wc-ci-info.yaml + permissions: + contents: read + pull-requests: read lintnet: uses: ./.github/workflows/wc-lintnet.yaml + permissions: + contents: read test: needs: ci-info uses: ./.github/workflows/wc-test.yaml + permissions: + contents: read + pull-requests: read diff --git a/.github/workflows/wc-check-files.yaml b/.github/workflows/wc-check-files.yaml index 690412b0de..8a7131828d 100644 --- a/.github/workflows/wc-check-files.yaml +++ b/.github/workflows/wc-check-files.yaml @@ -4,7 +4,8 @@ on: workflow_call jobs: check-files: runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/wc-ci-info.yaml b/.github/workflows/wc-ci-info.yaml index 77af6d9410..6740314217 100644 --- a/.github/workflows/wc-ci-info.yaml +++ b/.github/workflows/wc-ci-info.yaml @@ -6,7 +6,9 @@ jobs: runs-on: ubuntu-latest env: AQUA_CONFIG: aqua/ci-info.yaml - permissions: {} + permissions: + contents: read + pull-requests: read timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/wc-enable-auto-merge.yaml b/.github/workflows/wc-enable-auto-merge.yaml deleted file mode 100644 index a0c96fce1e..0000000000 --- a/.github/workflows/wc-enable-auto-merge.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -name: wc-enable-auto-merge -on: - workflow_call: - secrets: - gh_app_id: - required: true - gh_app_private_key: - required: true -jobs: - enable-automerge-renovate: - runs-on: ubuntu-latest - environment: renovate - permissions: {} - timeout-minutes: 15 - if: | - github.event.pull_request.user.login == 'renovate[bot]' && contains(github.event.pull_request.body, ' **Automerge**: Enabled.') - steps: - - uses: suzuki-shunsuke/enable-auto-merge-action@ec074392e76cd1062925255cd82a86ea1c44b6fd # v0.1.0 - with: - pr_number: ${{github.event.pull_request.number}} - merge_method: squash - github_app_id: ${{secrets.gh_app_id}} - github_app_private_key: ${{secrets.gh_app_private_key}} diff --git a/.github/workflows/wc-generate-registry.yaml b/.github/workflows/wc-generate-registry.yaml index 1943c7134f..c326be4ecf 100644 --- a/.github/workflows/wc-generate-registry.yaml +++ b/.github/workflows/wc-generate-registry.yaml @@ -4,7 +4,8 @@ on: workflow_call jobs: generate-registry: runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/wc-json-schema.yaml b/.github/workflows/wc-json-schema.yaml index 548bd94ebe..a3cde61beb 100644 --- a/.github/workflows/wc-json-schema.yaml +++ b/.github/workflows/wc-json-schema.yaml @@ -4,7 +4,8 @@ on: workflow_call jobs: json-schema: runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/wc-lintnet.yaml b/.github/workflows/wc-lintnet.yaml index 0f8527c28c..a116742747 100644 --- a/.github/workflows/wc-lintnet.yaml +++ b/.github/workflows/wc-lintnet.yaml @@ -8,7 +8,8 @@ jobs: runs-on: ubuntu-latest env: AQUA_CONFIG: aqua-all.yaml - permissions: {} + permissions: + contents: read timeout-minutes: 15 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/wc-prettier.yaml b/.github/workflows/wc-prettier.yaml index 2c1b17cc88..29f3d8e4b1 100644 --- a/.github/workflows/wc-prettier.yaml +++ b/.github/workflows/wc-prettier.yaml @@ -4,7 +4,8 @@ on: workflow_call jobs: prettier: runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 20 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/wc-test-docker.yaml b/.github/workflows/wc-test-docker.yaml index 1f10d898c6..531a78b097 100644 --- a/.github/workflows/wc-test-docker.yaml +++ b/.github/workflows/wc-test-docker.yaml @@ -4,7 +4,8 @@ on: workflow_call jobs: test-docker: runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 20 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/wc-test.yaml b/.github/workflows/wc-test.yaml index 23fd471304..0d7fd29848 100644 --- a/.github/workflows/wc-test.yaml +++ b/.github/workflows/wc-test.yaml @@ -32,7 +32,9 @@ jobs: shell: bash env: AQUA_CONFIG: aqua/test.yaml - permissions: {} + permissions: + contents: read + pull-requests: read timeout-minutes: 30 steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2