set Minimum GITHUB_TOKEN permissions to github workflow

Signed-off-by: zhzhuang-zju <m17799853869@163.com>
karmada-io · Jul 3, 2024 · b20e002 · b20e002
1 parent 7aaea78
commit b20e002
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 0 deletions.
diff --git a/.github/workflows/dockerhub-latest-image.yml b/.github/workflows/dockerhub-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub

diff --git a/.github/workflows/dockerhub-released-chart.yml b/.github/workflows/dockerhub-released-chart.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-chart-to-dockerhub:
     name: publish to DockerHub

diff --git a/.github/workflows/dockerhub-released-image.yml b/.github/workflows/dockerhub-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   publish-image-to-dockerhub:
     name: publish to DockerHub

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,8 +3,12 @@ on:
     types:
     - published
 name: Build Release
+permissions:
+  contents: read
 jobs:
   release-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release kubectl-karmada
     runs-on: ubuntu-22.04
     strategy:
@@ -41,6 +45,8 @@ jobs:
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
           _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256
   release-crds-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: release crds
     runs-on: ubuntu-22.04
     steps:
@@ -61,6 +67,8 @@ jobs:
         files: |
           crds.tar.gz
   release-charts:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release charts
     runs-on: ubuntu-22.04
     steps:
@@ -79,6 +87,8 @@ jobs:
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz
           _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256
   sbom-assests:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Release sbom
     runs-on: ubuntu-22.04
     steps:

diff --git a/.github/workflows/swr-latest-image.yml b/.github/workflows/swr-latest-image.yml
@@ -3,6 +3,8 @@ on:
   push:
     branches:
       - master
+permissions:
+  contents: read
 jobs:
   publish-image:
     name: publish images

diff --git a/.github/workflows/swr-released-image.yml b/.github/workflows/swr-released-image.yml
@@ -3,6 +3,8 @@ on:
   release:
     types:
       - published
+permissions:
+  contents: read
 jobs:
   release-image:
     name: release images