This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/main by this push:
new c86d120369c Add explicit permissions for all workflow-run workflows
(#45548)
c86d120369c is described below
commit c86d120369c43b67c6e78b56474df7e80ff722b5
Author: Jarek Potiuk <[email protected]>
AuthorDate: Fri Jan 10 12:41:53 2025 +0100
Add explicit permissions for all workflow-run workflows (#45548)
Those workflows inherit permissions from the calling workflows
but it's good to add explicit permissions to indicate what is
needed and in case we will also use the workflows for other purposes
in the future - default permissions for older repos might be
write so it's best to be explicit about the permissions.
Found by CodeQL scanning
---
.github/workflows/additional-ci-image-checks.yml | 2 ++
.github/workflows/additional-prod-image-tests.yml | 2 ++
.github/workflows/automatic-backport.yml | 3 ++-
.github/workflows/backport-cli.yml | 3 +++
.github/workflows/basic-tests.yml | 2 ++
.github/workflows/ci-image-build.yml | 2 ++
.github/workflows/ci-image-checks.yml | 3 ++-
.github/workflows/finalize-tests.yml | 2 ++
.github/workflows/generate-constraints.yml | 6 ++++++
.github/workflows/helm-tests.yml | 2 ++
.github/workflows/integration-system-tests.yml | 2 ++
.github/workflows/k8s-tests.yml | 2 ++
.github/workflows/news-fragment.yml | 3 ++-
.github/workflows/prod-image-build.yml | 3 ++-
.github/workflows/prod-image-extra-checks.yml | 2 ++
.github/workflows/push-image-cache.yml | 2 ++
.github/workflows/run-unit-tests.yml | 2 ++
.github/workflows/special-tests.yml | 3 ++-
.github/workflows/task-sdk-tests.yml | 3 ++-
.github/workflows/test-provider-packages.yml | 2 ++
20 files changed, 45 insertions(+), 6 deletions(-)
diff --git a/.github/workflows/additional-ci-image-checks.yml
b/.github/workflows/additional-ci-image-checks.yml
index 56cee169762..a6b7bdafcb5 100644
--- a/.github/workflows/additional-ci-image-checks.yml
+++ b/.github/workflows/additional-ci-image-checks.yml
@@ -84,6 +84,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv to build the image (true/false)"
required: true
type: string
+permissions:
+ contents: read
jobs:
# Push early BuildX cache to GitHub Registry in Apache repository, This
cache does not wait for all the
# tests to complete - it is run very early in the build process for "main"
merges in order to refresh
diff --git a/.github/workflows/additional-prod-image-tests.yml
b/.github/workflows/additional-prod-image-tests.yml
index bca5e3a5927..7b551215714 100644
--- a/.github/workflows/additional-prod-image-tests.yml
+++ b/.github/workflows/additional-prod-image-tests.yml
@@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
+permissions:
+ contents: read
jobs:
prod-image-extra-checks-main:
name: PROD image extra checks (main)
diff --git a/.github/workflows/automatic-backport.yml
b/.github/workflows/automatic-backport.yml
index b5b22b7491a..4c72401a5d3 100644
--- a/.github/workflows/automatic-backport.yml
+++ b/.github/workflows/automatic-backport.yml
@@ -21,7 +21,8 @@ on: # yamllint disable-line rule:truthy
push:
branches:
- main
-
+permissions:
+ contents: read
jobs:
get-pr-info:
name: "Get PR information"
diff --git a/.github/workflows/backport-cli.yml
b/.github/workflows/backport-cli.yml
index 3706cd65bb0..53243006137 100644
--- a/.github/workflows/backport-cli.yml
+++ b/.github/workflows/backport-cli.yml
@@ -41,6 +41,9 @@ on: # yamllint disable-line rule:truthy
type: string
permissions:
+ # Those permissions are only active for workflow dispatch (only committers
can trigger it) and workflow call
+ # Which is triggered automatically by "automatic-backport" push workflow
(only when merging by committer)
+ # Branch protection prevents from pushing to the "code" branches
contents: write
pull-requests: write
jobs:
diff --git a/.github/workflows/basic-tests.yml
b/.github/workflows/basic-tests.yml
index da803aee319..847eec3b4ee 100644
--- a/.github/workflows/basic-tests.yml
+++ b/.github/workflows/basic-tests.yml
@@ -60,6 +60,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv in the image"
required: true
type: string
+permissions:
+ contents: read
jobs:
run-breeze-tests:
timeout-minutes: 10
diff --git a/.github/workflows/ci-image-build.yml
b/.github/workflows/ci-image-build.yml
index d15c297d82a..55bf4e046e2 100644
--- a/.github/workflows/ci-image-build.yml
+++ b/.github/workflows/ci-image-build.yml
@@ -96,6 +96,8 @@ on: # yamllint disable-line rule:truthy
description: "Disable airflow repo cache read from main."
required: true
type: string
+permissions:
+ contents: read
jobs:
build-ci-images:
strategy:
diff --git a/.github/workflows/ci-image-checks.yml
b/.github/workflows/ci-image-checks.yml
index 21c857e7bd7..c6784042cec 100644
--- a/.github/workflows/ci-image-checks.yml
+++ b/.github/workflows/ci-image-checks.yml
@@ -108,7 +108,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv to build the image (true/false)"
required: true
type: string
-
+permissions:
+ contents: read
jobs:
install-pre-commit:
timeout-minutes: 5
diff --git a/.github/workflows/finalize-tests.yml
b/.github/workflows/finalize-tests.yml
index 1d0ac8a600c..ac13089caf6 100644
--- a/.github/workflows/finalize-tests.yml
+++ b/.github/workflows/finalize-tests.yml
@@ -76,6 +76,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to debug resources or not (true/false)"
required: true
type: string
+permissions:
+ contents: read
jobs:
update-constraints:
runs-on: ${{ fromJSON(inputs.runs-on-as-json-public) }}
diff --git a/.github/workflows/generate-constraints.yml
b/.github/workflows/generate-constraints.yml
index 740310e1cc0..19592dae295 100644
--- a/.github/workflows/generate-constraints.yml
+++ b/.github/workflows/generate-constraints.yml
@@ -44,6 +44,12 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uvloop (true/false)"
required: true
type: string
+permissions:
+ # This permission is only active for "canary" builds and PRs from the main
repo
+ # All fork PRs are not allowed to have write permissions and this one is
automatically downgraded to read
+ # Branch protection also prevents from pushing to the "code" branches so we
can safely use this one to
+ # Push constraints to "constraints" branches which are non-code branches and
are not protected
+ contents: write
jobs:
generate-constraints:
permissions:
diff --git a/.github/workflows/helm-tests.yml b/.github/workflows/helm-tests.yml
index 9dc300c61c0..1b4aa19cbe5 100644
--- a/.github/workflows/helm-tests.yml
+++ b/.github/workflows/helm-tests.yml
@@ -40,6 +40,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uvloop (true/false)"
required: true
type: string
+permissions:
+ contents: read
jobs:
tests-helm:
timeout-minutes: 80
diff --git a/.github/workflows/integration-system-tests.yml
b/.github/workflows/integration-system-tests.yml
index f992b726e30..7c3916d9d19 100644
--- a/.github/workflows/integration-system-tests.yml
+++ b/.github/workflows/integration-system-tests.yml
@@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
+permissions:
+ contents: read
jobs:
tests-core-integration:
timeout-minutes: 130
diff --git a/.github/workflows/k8s-tests.yml b/.github/workflows/k8s-tests.yml
index 6f867af65e9..40f73e3c59c 100644
--- a/.github/workflows/k8s-tests.yml
+++ b/.github/workflows/k8s-tests.yml
@@ -48,6 +48,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to debug resources"
required: true
type: string
+permissions:
+ contents: read
jobs:
tests-kubernetes:
timeout-minutes: 60
diff --git a/.github/workflows/news-fragment.yml
b/.github/workflows/news-fragment.yml
index 73e58a01937..46cb294d7a5 100644
--- a/.github/workflows/news-fragment.yml
+++ b/.github/workflows/news-fragment.yml
@@ -21,7 +21,8 @@ name: CI
on: # yamllint disable-line rule:truthy
pull_request:
types: [labeled, unlabeled, opened, reopened, synchronize]
-
+permissions:
+ contents: read
jobs:
check-news-fragment:
name: Check News Fragment
diff --git a/.github/workflows/prod-image-build.yml
b/.github/workflows/prod-image-build.yml
index d90d1910f93..85b421cade4 100644
--- a/.github/workflows/prod-image-build.yml
+++ b/.github/workflows/prod-image-build.yml
@@ -116,8 +116,9 @@ on: # yamllint disable-line rule:truthy
description: "Whether this is a prod-image build (true/false)"
required: true
type: string
+permissions:
+ contents: read
jobs:
-
build-prod-packages:
name: "Build Airflow and provider packages"
timeout-minutes: 10
diff --git a/.github/workflows/prod-image-extra-checks.yml
b/.github/workflows/prod-image-extra-checks.yml
index f5a4b771436..56fa4b2b1a2 100644
--- a/.github/workflows/prod-image-extra-checks.yml
+++ b/.github/workflows/prod-image-extra-checks.yml
@@ -64,6 +64,8 @@ on: # yamllint disable-line rule:truthy
description: "Disable airflow repo cache read from main."
required: true
type: string
+permissions:
+ contents: read
jobs:
myssql-client-image:
uses: ./.github/workflows/prod-image-build.yml
diff --git a/.github/workflows/push-image-cache.yml
b/.github/workflows/push-image-cache.yml
index b1c9d127542..86ec3b2a85a 100644
--- a/.github/workflows/push-image-cache.yml
+++ b/.github/workflows/push-image-cache.yml
@@ -80,6 +80,8 @@ on: # yamllint disable-line rule:truthy
description: "Disable airflow repo cache read from main."
required: true
type: string
+permissions:
+ contents: read
jobs:
push-ci-image-cache:
name: "Push CI ${{ inputs.cache-type }}:${{ matrix.python }} image cache "
diff --git a/.github/workflows/run-unit-tests.yml
b/.github/workflows/run-unit-tests.yml
index 1c24e659d09..e67d59ee08d 100644
--- a/.github/workflows/run-unit-tests.yml
+++ b/.github/workflows/run-unit-tests.yml
@@ -116,6 +116,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
+permissions:
+ contents: read
jobs:
tests:
timeout-minutes: 120
diff --git a/.github/workflows/special-tests.yml
b/.github/workflows/special-tests.yml
index 36ccbf871cc..8507294e535 100644
--- a/.github/workflows/special-tests.yml
+++ b/.github/workflows/special-tests.yml
@@ -80,7 +80,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv or not (true/false)"
required: true
type: string
-
+permissions:
+ contents: read
jobs:
tests-min-sqlalchemy:
name: "Min SQLAlchemy test"
diff --git a/.github/workflows/task-sdk-tests.yml
b/.github/workflows/task-sdk-tests.yml
index 501e880fd3b..b8ecf0eb798 100644
--- a/.github/workflows/task-sdk-tests.yml
+++ b/.github/workflows/task-sdk-tests.yml
@@ -44,7 +44,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether this is a canary run (true/false)"
required: true
type: string
-
+permissions:
+ contents: read
jobs:
task-sdk-tests:
timeout-minutes: 80
diff --git a/.github/workflows/test-provider-packages.yml
b/.github/workflows/test-provider-packages.yml
index 877ff1f1b23..b0912fa6dfe 100644
--- a/.github/workflows/test-provider-packages.yml
+++ b/.github/workflows/test-provider-packages.yml
@@ -62,6 +62,8 @@ on: # yamllint disable-line rule:truthy
description: "Whether to use uv"
required: true
type: string
+permissions:
+ contents: read
jobs:
prepare-install-verify-provider-packages:
timeout-minutes: 80
