This is an automated email from the ASF dual-hosted git repository. potiuk pushed a commit to branch add-explicit-permissions-for-non-top-level-workflows in repository https://gitbox.apache.org/repos/asf/airflow.git
commit 4a913bda33a78d615ee59cb5393b3aeeeb4c43c2 Author: Jarek Potiuk <[email protected]> AuthorDate: Fri Jan 10 11:34:51 2025 +0100 Add explicit permissions for all workflow-run workflows Those workflows inherit permissions from the calling workflows but it's good to add explicit permissions to indicate what is needed and in case we will also use the workflows for other purposes in the future - default permissions for older repos might be write so it's best to be explicit about the permissions. Found by CodeQL scanning --- .github/workflows/additional-ci-image-checks.yml | 2 ++ .github/workflows/additional-prod-image-tests.yml | 2 ++ .github/workflows/automatic-backport.yml | 3 ++- .github/workflows/backport-cli.yml | 3 +++ .github/workflows/basic-tests.yml | 2 ++ .github/workflows/ci-image-build.yml | 2 ++ .github/workflows/ci-image-checks.yml | 3 ++- .github/workflows/finalize-tests.yml | 2 ++ .github/workflows/generate-constraints.yml | 6 ++++++ .github/workflows/helm-tests.yml | 2 ++ .github/workflows/integration-system-tests.yml | 2 ++ .github/workflows/k8s-tests.yml | 2 ++ .github/workflows/news-fragment.yml | 3 ++- .github/workflows/prod-image-build.yml | 3 ++- .github/workflows/prod-image-extra-checks.yml | 2 ++ .github/workflows/push-image-cache.yml | 2 ++ .github/workflows/run-unit-tests.yml | 2 ++ .github/workflows/special-tests.yml | 3 ++- .github/workflows/task-sdk-tests.yml | 3 ++- .github/workflows/test-provider-packages.yml | 2 ++ 20 files changed, 45 insertions(+), 6 deletions(-) diff --git a/.github/workflows/additional-ci-image-checks.yml b/.github/workflows/additional-ci-image-checks.yml index 56cee169762..a6b7bdafcb5 100644 --- a/.github/workflows/additional-ci-image-checks.yml +++ b/.github/workflows/additional-ci-image-checks.yml @@ -84,6 +84,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv to build the image (true/false)" required: true type: string +permissions: + contents: read jobs: # Push early BuildX cache to GitHub Registry in Apache repository, This cache does not wait for all the # tests to complete - it is run very early in the build process for "main" merges in order to refresh diff --git a/.github/workflows/additional-prod-image-tests.yml b/.github/workflows/additional-prod-image-tests.yml index bca5e3a5927..7b551215714 100644 --- a/.github/workflows/additional-prod-image-tests.yml +++ b/.github/workflows/additional-prod-image-tests.yml @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: prod-image-extra-checks-main: name: PROD image extra checks (main) diff --git a/.github/workflows/automatic-backport.yml b/.github/workflows/automatic-backport.yml index b5b22b7491a..4c72401a5d3 100644 --- a/.github/workflows/automatic-backport.yml +++ b/.github/workflows/automatic-backport.yml @@ -21,7 +21,8 @@ on: # yamllint disable-line rule:truthy push: branches: - main - +permissions: + contents: read jobs: get-pr-info: name: "Get PR information" diff --git a/.github/workflows/backport-cli.yml b/.github/workflows/backport-cli.yml index 3706cd65bb0..53243006137 100644 --- a/.github/workflows/backport-cli.yml +++ b/.github/workflows/backport-cli.yml @@ -41,6 +41,9 @@ on: # yamllint disable-line rule:truthy type: string permissions: + # Those permissions are only active for workflow dispatch (only committers can trigger it) and workflow call + # Which is triggered automatically by "automatic-backport" push workflow (only when merging by committer) + # Branch protection prevents from pushing to the "code" branches contents: write pull-requests: write jobs: diff --git a/.github/workflows/basic-tests.yml b/.github/workflows/basic-tests.yml index da803aee319..847eec3b4ee 100644 --- a/.github/workflows/basic-tests.yml +++ b/.github/workflows/basic-tests.yml @@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv in the image" required: true type: string +permissions: + contents: read jobs: run-breeze-tests: timeout-minutes: 10 diff --git a/.github/workflows/ci-image-build.yml b/.github/workflows/ci-image-build.yml index d15c297d82a..55bf4e046e2 100644 --- a/.github/workflows/ci-image-build.yml +++ b/.github/workflows/ci-image-build.yml @@ -96,6 +96,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: build-ci-images: strategy: diff --git a/.github/workflows/ci-image-checks.yml b/.github/workflows/ci-image-checks.yml index 21c857e7bd7..c6784042cec 100644 --- a/.github/workflows/ci-image-checks.yml +++ b/.github/workflows/ci-image-checks.yml @@ -108,7 +108,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv to build the image (true/false)" required: true type: string - +permissions: + contents: read jobs: install-pre-commit: timeout-minutes: 5 diff --git a/.github/workflows/finalize-tests.yml b/.github/workflows/finalize-tests.yml index 1d0ac8a600c..ac13089caf6 100644 --- a/.github/workflows/finalize-tests.yml +++ b/.github/workflows/finalize-tests.yml @@ -76,6 +76,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to debug resources or not (true/false)" required: true type: string +permissions: + contents: read jobs: update-constraints: runs-on: ${{ fromJSON(inputs.runs-on-as-json-public) }} diff --git a/.github/workflows/generate-constraints.yml b/.github/workflows/generate-constraints.yml index 740310e1cc0..19592dae295 100644 --- a/.github/workflows/generate-constraints.yml +++ b/.github/workflows/generate-constraints.yml @@ -44,6 +44,12 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uvloop (true/false)" required: true type: string +permissions: + # This permission is only active for "canary" builds and PRs from the main repo + # All fork PRs are not allowed to have write permissions and this one is automatically downgraded to read + # Branch protection also prevents from pushing to the "code" branches so we can safely use this one to + # Push constraints to "constraints" branches which are non-code branches and are not protected + contents: write jobs: generate-constraints: permissions: diff --git a/.github/workflows/helm-tests.yml b/.github/workflows/helm-tests.yml index 9dc300c61c0..1b4aa19cbe5 100644 --- a/.github/workflows/helm-tests.yml +++ b/.github/workflows/helm-tests.yml @@ -40,6 +40,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uvloop (true/false)" required: true type: string +permissions: + contents: read jobs: tests-helm: timeout-minutes: 80 diff --git a/.github/workflows/integration-system-tests.yml b/.github/workflows/integration-system-tests.yml index f992b726e30..7c3916d9d19 100644 --- a/.github/workflows/integration-system-tests.yml +++ b/.github/workflows/integration-system-tests.yml @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: tests-core-integration: timeout-minutes: 130 diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml index 6f867af65e9..40f73e3c59c 100644 --- a/.github/workflows/k8s-tests.yml +++ b/.github/workflows/k8s-tests.yml @@ -48,6 +48,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to debug resources" required: true type: string +permissions: + contents: read jobs: tests-kubernetes: timeout-minutes: 60 diff --git a/.github/workflows/news-fragment.yml b/.github/workflows/news-fragment.yml index 73e58a01937..46cb294d7a5 100644 --- a/.github/workflows/news-fragment.yml +++ b/.github/workflows/news-fragment.yml @@ -21,7 +21,8 @@ name: CI on: # yamllint disable-line rule:truthy pull_request: types: [labeled, unlabeled, opened, reopened, synchronize] - +permissions: + contents: read jobs: check-news-fragment: name: Check News Fragment diff --git a/.github/workflows/prod-image-build.yml b/.github/workflows/prod-image-build.yml index d90d1910f93..85b421cade4 100644 --- a/.github/workflows/prod-image-build.yml +++ b/.github/workflows/prod-image-build.yml @@ -116,8 +116,9 @@ on: # yamllint disable-line rule:truthy description: "Whether this is a prod-image build (true/false)" required: true type: string +permissions: + contents: read jobs: - build-prod-packages: name: "Build Airflow and provider packages" timeout-minutes: 10 diff --git a/.github/workflows/prod-image-extra-checks.yml b/.github/workflows/prod-image-extra-checks.yml index f5a4b771436..56fa4b2b1a2 100644 --- a/.github/workflows/prod-image-extra-checks.yml +++ b/.github/workflows/prod-image-extra-checks.yml @@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: myssql-client-image: uses: ./.github/workflows/prod-image-build.yml diff --git a/.github/workflows/push-image-cache.yml b/.github/workflows/push-image-cache.yml index b1c9d127542..86ec3b2a85a 100644 --- a/.github/workflows/push-image-cache.yml +++ b/.github/workflows/push-image-cache.yml @@ -80,6 +80,8 @@ on: # yamllint disable-line rule:truthy description: "Disable airflow repo cache read from main." required: true type: string +permissions: + contents: read jobs: push-ci-image-cache: name: "Push CI ${{ inputs.cache-type }}:${{ matrix.python }} image cache " diff --git a/.github/workflows/run-unit-tests.yml b/.github/workflows/run-unit-tests.yml index 1c24e659d09..e67d59ee08d 100644 --- a/.github/workflows/run-unit-tests.yml +++ b/.github/workflows/run-unit-tests.yml @@ -116,6 +116,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: tests: timeout-minutes: 120 diff --git a/.github/workflows/special-tests.yml b/.github/workflows/special-tests.yml index 36ccbf871cc..8507294e535 100644 --- a/.github/workflows/special-tests.yml +++ b/.github/workflows/special-tests.yml @@ -80,7 +80,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv or not (true/false)" required: true type: string - +permissions: + contents: read jobs: tests-min-sqlalchemy: name: "Min SQLAlchemy test" diff --git a/.github/workflows/task-sdk-tests.yml b/.github/workflows/task-sdk-tests.yml index 501e880fd3b..b8ecf0eb798 100644 --- a/.github/workflows/task-sdk-tests.yml +++ b/.github/workflows/task-sdk-tests.yml @@ -44,7 +44,8 @@ on: # yamllint disable-line rule:truthy description: "Whether this is a canary run (true/false)" required: true type: string - +permissions: + contents: read jobs: task-sdk-tests: timeout-minutes: 80 diff --git a/.github/workflows/test-provider-packages.yml b/.github/workflows/test-provider-packages.yml index 877ff1f1b23..b0912fa6dfe 100644 --- a/.github/workflows/test-provider-packages.yml +++ b/.github/workflows/test-provider-packages.yml @@ -62,6 +62,8 @@ on: # yamllint disable-line rule:truthy description: "Whether to use uv" required: true type: string +permissions: + contents: read jobs: prepare-install-verify-provider-packages: timeout-minutes: 80
