Skip to content

Commit 0f4b509

Browse files
madhurkulshrestha-hylandmadhurkulshrestha-hyland
authored
WEBUI-2017 WEBUI-2018 : define permissions at job level in workflow files (#3155)
1 parent e967c49 commit 0f4b509

14 files changed

Lines changed: 48 additions & 45 deletions

.github/workflows/a11y.yaml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,14 @@ on:
2020
REPOSITORY_MANAGER_PASSWORD:
2121
required: true
2222

23-
permissions:
24-
contents: read
25-
2623
env:
2724
NPM_REPOSITORY: https://packages.nuxeo.com/repository/npm-public/
2825

2926
jobs:
3027
a11y:
3128
runs-on: ubuntu-latest
29+
permissions:
30+
contents: read
3231

3332
steps:
3433
- name: Debug

.github/workflows/catalog.yaml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,17 +25,16 @@ on:
2525
release:
2626
types: [published]
2727

28-
permissions:
29-
contents: write
30-
pull-requests: write
31-
3228
env:
3329
ARTIFACT_ID: view-designer-catalog
3430
GROUP_ID: org.nuxeo.web.ui.studio
3531

3632
jobs:
3733
catalog:
3834
runs-on: ubuntu-latest
35+
permissions:
36+
contents: write
37+
pull-requests: write
3938
if: |
4039
github.event_name != 'release' ||
4140
startsWith(github.event.release.tag_name, 'v3.1.')

.github/workflows/clean.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,13 +22,12 @@ env:
2222
GKE_CLUSTER: jx-prod
2323
GKE_ZONE: us-east1-b
2424

25-
permissions:
26-
contents: read
27-
2825
jobs:
2926
id:
3027
name: Remote Caller ID ${{ github.event.inputs.caller_id }}
3128
runs-on: ubuntu-latest
29+
permissions:
30+
contents: read
3231
steps:
3332
- name: Show caller id
3433
run: echo "run identifier ${{ github.event.inputs.caller_id }}"
@@ -41,6 +40,8 @@ jobs:
4140
contains(github.event.pull_request.labels.*.name, 'preview') ||
4241
github.event_name == 'workflow_dispatch'
4342
runs-on: ubuntu-latest
43+
permissions:
44+
contents: read
4445

4546
steps:
4647
- name: Prepare environment (pull_request)

.github/workflows/cross-repo.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,6 @@ on:
4646
type: string
4747
required: false
4848

49-
permissions:
50-
contents: read
51-
5249
env:
5350
REFERENCE_BRANCH: maintenance-3.1.x
5451
NPM_REPOSITORY: https://packages.nuxeo.com/repository/npm-public/
@@ -57,6 +54,8 @@ jobs:
5754
id:
5855
name: Remote Caller ID ${{ github.event.inputs.caller_id }}
5956
runs-on: ubuntu-latest
57+
permissions:
58+
contents: read
6059
steps:
6160
- env:
6261
CALLER_ID: ${{ github.event.inputs.caller_id }}
@@ -66,6 +65,8 @@ jobs:
6665
name: Build
6766
needs: id
6867
runs-on: ubuntu-latest
68+
permissions:
69+
contents: read
6970

7071
steps:
7172
- uses: catchpoint/workflow-telemetry-action@v2

.github/workflows/crowdin.yaml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,10 +15,6 @@ on:
1515
# Manually trigger the workflow
1616
workflow_dispatch:
1717

18-
permissions:
19-
contents: write
20-
pull-requests: write
21-
2218
jobs:
2319
# in uses, cannot use environment variable for {owner}/{repo} nor matrix strategy variable for {ref}
2420
# thus hardcoding them
@@ -27,9 +23,15 @@ jobs:
2723
uses: nuxeo/nuxeo-web-ui/.github/workflows/crowdin.yaml@lts-2025
2824
secrets: inherit
2925
needs: crowdin
26+
permissions:
27+
contents: write
28+
pull-requests: write
3029

3130
crowdin:
3231
runs-on: ubuntu-latest
32+
permissions:
33+
contents: write
34+
pull-requests: write
3335

3436
steps:
3537
- name: Checkout

.github/workflows/ftest.yaml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -21,9 +21,6 @@ on:
2121
REPOSITORY_MANAGER_PASSWORD:
2222
required: true
2323

24-
permissions:
25-
contents: read
26-
2724
env:
2825
NPM_REPOSITORY: https://packages.nuxeo.com/repository/npm-public/
2926
NODE_OPTIONS: "--max-old-space-size=2048"
@@ -33,6 +30,8 @@ jobs:
3330
ftests:
3431
runs-on:
3532
group: medium-4cpu-runners
33+
permissions:
34+
contents: read
3635

3736
steps:
3837
- name: Debug

.github/workflows/lint.yaml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,15 +15,14 @@ on:
1515
NPM_PACKAGES_TOKEN:
1616
required: true
1717

18-
permissions:
19-
contents: read
20-
2118
env:
2219
BRANCH_NAME: ${{ github.head_ref || inputs.branch || 'maintenance-3.1.x' }}
2320

2421
jobs:
2522
lint:
2623
runs-on: ubuntu-latest
24+
permissions:
25+
contents: read
2726

2827
steps:
2928
- uses: actions/checkout@v6

.github/workflows/main.yaml

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,18 @@ on:
66
- maintenance-3.1.x
77
workflow_dispatch:
88

9-
permissions:
10-
contents: write
11-
129
jobs:
1310
lint:
1411
uses: ./.github/workflows/lint.yaml
12+
permissions:
13+
contents: read
1514
secrets:
1615
NPM_PACKAGES_TOKEN: ${{ secrets.NPM_PACKAGES_TOKEN }}
1716

1817
test:
1918
uses: ./.github/workflows/test.yaml
19+
permissions:
20+
contents: read
2021
secrets:
2122
NPM_PACKAGES_TOKEN: ${{ secrets.NPM_PACKAGES_TOKEN }}
2223
SAUCE_ACCESS_KEY: ${{ secrets.SAUCE_ACCESS_KEY }}
@@ -25,6 +26,8 @@ jobs:
2526

2627
a11y:
2728
uses: ./.github/workflows/a11y.yaml
29+
permissions:
30+
contents: read
2831
secrets:
2932
NPM_PACKAGES_TOKEN: ${{ secrets.NPM_PACKAGES_TOKEN }}
3033
REPOSITORY_MANAGER_USERNAME: ${{ secrets.REPOSITORY_MANAGER_USERNAME }}
@@ -34,6 +37,8 @@ jobs:
3437

3538
sonar:
3639
uses: ./.github/workflows/sonar.yaml
40+
permissions:
41+
contents: read
3742
secrets:
3843
NPM_PACKAGES_TOKEN: ${{ secrets.NPM_PACKAGES_TOKEN }}
3944
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -42,6 +47,8 @@ jobs:
4247

4348
ftest:
4449
uses: ./.github/workflows/ftest.yaml
50+
permissions:
51+
contents: read
4552
secrets:
4653
NPM_PACKAGES_TOKEN: ${{ secrets.NPM_PACKAGES_TOKEN }}
4754
REPOSITORY_MANAGER_USERNAME: ${{ secrets.REPOSITORY_MANAGER_USERNAME }}
@@ -53,6 +60,8 @@ jobs:
5360
needs: [lint, test, a11y, ftest, sonar]
5461
runs-on:
5562
group: medium-4cpu-runners
63+
permissions:
64+
contents: write
5665

5766
steps:
5867
- uses: catchpoint/workflow-telemetry-action@v2

.github/workflows/preview.yaml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -24,14 +24,12 @@ env:
2424
GKE_CLUSTER: jx-prod
2525
GKE_ZONE: us-east1-b
2626

27-
permissions:
28-
contents: read
29-
pull-requests: write
30-
3127
jobs:
3228
id:
3329
name: Remote Caller ID ${{ github.event.inputs.caller_id }}
3430
runs-on: ubuntu-latest
31+
permissions:
32+
contents: read
3533
steps:
3634
- run: echo run identifier ${{ github.event.inputs.caller_id }}
3735

@@ -45,6 +43,9 @@ jobs:
4543
contains(github.event.pull_request.labels.*.name, 'preview') ||
4644
github.event_name == 'workflow_dispatch'
4745
runs-on: ubuntu-latest
46+
permissions:
47+
contents: read
48+
pull-requests: write
4849

4950
steps:
5051
- uses: actions/setup-node@v6
@@ -190,6 +191,8 @@ jobs:
190191
name: "Result: ${{ needs.preview.outputs.url }}"
191192
needs: preview
192193
runs-on: ubuntu-latest
194+
permissions:
195+
contents: read
193196
if: github.event_name == 'workflow_dispatch'
194197
steps:
195198
- run: echo ${{ needs.preview.outputs.url }}

.github/workflows/promote.yaml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,12 +15,11 @@ on:
1515
type: boolean
1616
required: false
1717

18-
permissions:
19-
contents: write
20-
2118
jobs:
2219
promote:
2320
runs-on: ubuntu-latest
21+
permissions:
22+
contents: write
2423
steps:
2524
- uses: actions/setup-node@v6
2625
with:

0 commit comments

Comments
 (0)