Skip to content

Commit de467c4

Browse files
committed
harden git workflows
1 parent 7f01855 commit de467c4

4 files changed

Lines changed: 26 additions & 0 deletions

File tree

.github/workflows/code-scanning.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@ jobs:
2828
steps:
2929
- name: Checkout repository
3030
uses: actions/checkout@v6
31+
with:
32+
persist-credentials: false
3133

3234
- name: Initialize CodeQL
3335
uses: github/codeql-action/init@v4

.github/workflows/config-checks.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,13 +18,18 @@ on:
1818
workflow_call:
1919
workflow_dispatch:
2020

21+
permissions:
22+
contents: read
23+
2124
jobs:
2225
helm-lint:
2326
runs-on: ubuntu-latest
2427
timeout-minutes: 10
2528
steps:
2629
- name: Checkout code
2730
uses: actions/checkout@v6
31+
with:
32+
persist-credentials: false
2833
- name: Install Helm
2934
uses: azure/setup-helm@v5.0.0
3035
id: install
@@ -36,6 +41,8 @@ jobs:
3641
steps:
3742
- name: Checkout code
3843
uses: actions/checkout@v6
44+
with:
45+
persist-credentials: false
3946
- name: Get Golang version
4047
id: vars
4148
run: |
@@ -53,6 +60,8 @@ jobs:
5360
steps:
5461
- name: Checkout code
5562
uses: actions/checkout@v6
63+
with:
64+
persist-credentials: false
5665
- name: Get Golang version
5766
id: vars
5867
run: |

.github/workflows/golang-checks.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,8 @@ jobs:
2828
steps:
2929
- uses: actions/checkout@v6
3030
name: Checkout code
31+
with:
32+
persist-credentials: false
3133
- name: Get Golang version
3234
id: vars
3335
run: |
@@ -63,6 +65,8 @@ jobs:
6365
steps:
6466
- name: Checkout code
6567
uses: actions/checkout@v6
68+
with:
69+
persist-credentials: false
6670
- name: Get Golang version
6771
id: vars
6872
run: |
@@ -89,4 +93,6 @@ jobs:
8993
steps:
9094
- uses: actions/checkout@v6
9195
name: Checkout code
96+
with:
97+
persist-credentials: false
9298
- run: make docker-build

.github/workflows/image-builds.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -86,6 +86,8 @@ jobs:
8686
steps:
8787
- uses: actions/checkout@v6
8888
name: Check out code
89+
with:
90+
persist-credentials: false
8991
- name: Login to GitHub Container Registry
9092
uses: docker/login-action@v4
9193
with:
@@ -118,6 +120,8 @@ jobs:
118120
steps:
119121
- uses: actions/checkout@v6
120122
name: Check out code
123+
with:
124+
persist-credentials: false
121125
- name: Login to GitHub Container Registry
122126
uses: docker/login-action@v4
123127
with:
@@ -143,9 +147,14 @@ jobs:
143147
needs: [variables, build-gpu-operator-arm64, build-gpu-operator-amd64]
144148
runs-on: ubuntu-latest
145149
timeout-minutes: 15
150+
permissions:
151+
contents: read
152+
packages: write
146153
steps:
147154
- uses: actions/checkout@v6
148155
name: Check out code
156+
with:
157+
persist-credentials: false
149158
- name: Login to GitHub Container Registry
150159
uses: docker/login-action@v4
151160
with:

0 commit comments

Comments
 (0)