diff --git a/.github/workflows/ci-build-image.yml b/.github/workflows/ci-build-image.yml index ad2f5af3dd..b1c2864a03 100644 --- a/.github/workflows/ci-build-image.yml +++ b/.github/workflows/ci-build-image.yml @@ -17,10 +17,6 @@ on: description: the Cryostat application version that will be built value: ${{ jobs.get-pom-properties.outputs.image-version }} -permissions: - contents: read - packages: read - jobs: get-pom-properties: runs-on: ubuntu-latest diff --git a/.github/workflows/ci-code-analysis.yml b/.github/workflows/ci-code-analysis.yml index f423a90577..703988981b 100644 --- a/.github/workflows/ci-code-analysis.yml +++ b/.github/workflows/ci-code-analysis.yml @@ -8,10 +8,6 @@ on: required: false type: string -permissions: - contents: read - packages: read - jobs: spotless: runs-on: ubuntu-latest diff --git a/.github/workflows/integrated-test.yml b/.github/workflows/integrated-test.yml index 943a8b253f..ea05e74748 100644 --- a/.github/workflows/integrated-test.yml +++ b/.github/workflows/integrated-test.yml @@ -23,10 +23,6 @@ on: type: boolean default: false -permissions: - contents: read - packages: read - jobs: integration-tests: runs-on: ubuntu-latest @@ -68,7 +64,7 @@ jobs: - name: Run integration tests run: POD_NAME=cryostat-itests CONTAINER_NAME=cryostat-itest ITEST_IMG_VERSION=latest bash repeated-integration-tests.bash env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Print itest logs if: failure() run: ls -1dt target/cryostat-itest-*.log | head -n1 | xargs cat diff --git a/.github/workflows/pr-ci.yml b/.github/workflows/pr-ci.yml index f3abd44d7d..b4440c5ba0 100644 --- a/.github/workflows/pr-ci.yml +++ b/.github/workflows/pr-ci.yml @@ -78,6 +78,8 @@ jobs: start-comment: runs-on: ubuntu-latest needs: [check-before-build] + permissions: + pull-requests: write steps: - name: Leave Actions Run Comment uses: actions/github-script@v6 @@ -99,11 +101,13 @@ jobs: strategy: matrix: arch: [amd64, arm64] + permissions: + pull-requests: write uses: ./.github/workflows/ci-build-image.yml with: build-arch: ${{ matrix.arch }} checkout-repo: ${{ needs.checkout-branch.outputs.PR_repo }} - checkout-ref: ${{ needs.checkout-branch.outputs.PR_head_ref }} + checkout-ref: ${{ needs.checkout-branch.outputs.PR_head_ref }} push-to-ghcr: runs-on: ubuntu-latest @@ -202,6 +206,8 @@ jobs: integration-test-pass: runs-on: ubuntu-latest needs: [integration-test] + permissions: + pull-requests: write steps: - name: Leave Actions Run Comment uses: actions/github-script@v6 @@ -219,6 +225,8 @@ jobs: retest-integration-pass: runs-on: ubuntu-latest needs: [retest-integration] + permissions: + pull-requests: write steps: - name: Leave Actions Run Comment uses: actions/github-script@v6 @@ -236,6 +244,8 @@ jobs: comment-integration-test-fail: if: (always() && contains(needs.*.result, 'failure')) needs: [integration-test] + permissions: + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/github-script@v6 @@ -253,6 +263,8 @@ jobs: comment-retest-integration-fail: if: (always() && contains(needs.*.result, 'failure')) needs: [retest-integration] + permissions: + pull-requests: write runs-on: ubuntu-latest steps: - uses: actions/github-script@v6