diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml index 2e5aaefa37..c03eeeb096 100644 --- a/.github/workflows/api-docs.yml +++ b/.github/workflows/api-docs.yml @@ -7,6 +7,13 @@ on: description: 'Version to generate docs for' required: true type: string + secrets: + NPM_TOKEN_ARTIFACTORY: + required: true + SAP_CLOUD_SDK_BOT_CLIENT_ID: + required: true + SAP_CLOUD_SDK_BOT_PRIVATE_KEY: + required: true workflow_dispatch: inputs: version: @@ -14,8 +21,12 @@ on: required: true type: string +permissions: {} + jobs: generate-and-push-docs: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main diff --git a/.github/workflows/auto-dependabot-fix.yml b/.github/workflows/auto-dependabot-fix.yml index 64f17090b2..74e36b8b6c 100644 --- a/.github/workflows/auto-dependabot-fix.yml +++ b/.github/workflows/auto-dependabot-fix.yml @@ -3,8 +3,12 @@ name: auto-dependabot-fix on: pull_request_target: ~ +permissions: {} + jobs: building: + permissions: + contents: read if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest steps: diff --git a/.github/workflows/auto-lint.yml b/.github/workflows/auto-lint.yml index f13b21179f..6a130b1b3d 100644 --- a/.github/workflows/auto-lint.yml +++ b/.github/workflows/auto-lint.yml @@ -3,8 +3,12 @@ name: auto-lint-fix on: pull_request: ~ +permissions: {} + jobs: linting: + permissions: + contents: read if: github.actor != 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest steps: diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml index 60a62eff21..c850988aa0 100644 --- a/.github/workflows/blackduck.yml +++ b/.github/workflows/blackduck.yml @@ -5,9 +5,13 @@ on: schedule: - cron: 0 23 * * * +permissions: {} + jobs: tests: runs-on: ubuntu-latest + permissions: + contents: read timeout-minutes: 15 steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e684aea425..b303b029f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,12 +20,21 @@ on: type: boolean required: false default: false + secrets: + NPM_TOKEN_ARTIFACTORY: + required: false + SLACK_WEBHOOK: + required: false + +permissions: {} jobs: tests: if: inputs.canary-release-skip-checks == false runs-on: ubuntu-latest timeout-minutes: 15 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -35,9 +44,7 @@ jobs: with: node-version: ${{ matrix.node-version }} registry-token: ${{ secrets.NPM_TOKEN_ARTIFACTORY }} - - env: - SANDBOX_TOKEN: ${{ secrets.API_HUB_SANDBOX_TOKEN }} - run: pnpm run test:unit + - run: pnpm run test:unit - run: pnpm run test:integration - run: pnpm run test:self - run: pnpm run test:build-packages @@ -58,6 +65,8 @@ jobs: checks: if: inputs.canary-release-skip-checks == false runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main with: @@ -99,6 +108,8 @@ jobs: e2e-tests: if: inputs.canary-release-skip-checks == false runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main with: @@ -133,6 +144,8 @@ jobs: canary-release-pre-check: if: inputs.is-workflow-call && inputs.canary-release-skip-checks == false runs-on: ubuntu-latest + permissions: + contents: read outputs: skip-release: ${{ steps.date-check.outputs.skip-release }} needs: [tests, checks, e2e-tests] @@ -167,6 +180,7 @@ jobs: runs-on: ubuntu-latest needs: [canary-release-pre-check] permissions: + contents: read id-token: write steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main @@ -189,6 +203,8 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') runs-on: ubuntu-latest needs: [tests, checks] + permissions: + contents: write steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main with: diff --git a/.github/workflows/bump.yml b/.github/workflows/bump.yml index a55c1db197..69c17e9b14 100644 --- a/.github/workflows/bump.yml +++ b/.github/workflows/bump.yml @@ -7,9 +7,13 @@ on: description: Mandatory, when bumping a major version. Semver compatible version string (X.Y.Z). Must not be set for patch and minor version releases. required: false +permissions: {} + jobs: bump: runs-on: ubuntu-latest + permissions: + contents: read outputs: version: ${{ steps.bump.outputs.version }} steps: @@ -56,7 +60,12 @@ jobs: generate-api-docs: name: Generate and Push API Documentation needs: [bump] + permissions: + contents: read uses: ./.github/workflows/api-docs.yml - secrets: inherit + secrets: + NPM_TOKEN_ARTIFACTORY: ${{ secrets.NPM_TOKEN_ARTIFACTORY }} + SAP_CLOUD_SDK_BOT_CLIENT_ID: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }} + SAP_CLOUD_SDK_BOT_PRIVATE_KEY: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }} with: version: v${{ needs.bump.outputs.version }} diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml index 0d20b7d889..83d82cdf71 100644 --- a/.github/workflows/check-pr.yml +++ b/.github/workflows/check-pr.yml @@ -7,9 +7,13 @@ on: - edited - synchronize +permissions: {} + jobs: check-pr: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c381d7bb14..08e87c7e81 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,10 +14,15 @@ on: pull_request: ~ workflow_dispatch: +permissions: {} + jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + contents: read + security-events: write strategy: fail-fast: false diff --git a/.github/workflows/downloads.yml b/.github/workflows/downloads.yml index 6e3d26c300..1f4b52cb92 100644 --- a/.github/workflows/downloads.yml +++ b/.github/workflows/downloads.yml @@ -5,9 +5,13 @@ on: schedule: - cron: '0 0 * * 1' +permissions: {} + jobs: downloads: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main with: diff --git a/.github/workflows/fosstars-report.yml b/.github/workflows/fosstars-report.yml index 7f04422173..a7a10dc2cf 100644 --- a/.github/workflows/fosstars-report.yml +++ b/.github/workflows/fosstars-report.yml @@ -4,6 +4,8 @@ on: schedule: - cron: '0 0 * * *' +permissions: {} + jobs: create_fosstars_report: runs-on: ubuntu-latest diff --git a/.github/workflows/memory-tests.yml b/.github/workflows/memory-tests.yml index deb3897e7b..c9119e7366 100644 --- a/.github/workflows/memory-tests.yml +++ b/.github/workflows/memory-tests.yml @@ -5,9 +5,13 @@ on: schedule: - cron: 0 21 * * * +permissions: {} + jobs: tests: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main with: diff --git a/.github/workflows/release-entry.yml b/.github/workflows/release-entry.yml index 99db09398e..c68b08d537 100644 --- a/.github/workflows/release-entry.yml +++ b/.github/workflows/release-entry.yml @@ -19,16 +19,30 @@ on: options: - 'With Tests and Checks' - 'Skip Tests and Checks (Force Release)' + +permissions: {} + jobs: delegate_to_release_job: if: ${{ github.event_name == 'release' }} + permissions: + contents: read + id-token: write uses: ./.github/workflows/release.yml - secrets: inherit + secrets: + SAP_CLOUD_SDK_BOT_CLIENT_ID: ${{ secrets.SAP_CLOUD_SDK_BOT_CLIENT_ID }} + SAP_CLOUD_SDK_BOT_PRIVATE_KEY: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }} delegate_to_canary_job: if: ${{ github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' }} + permissions: + contents: write + pull-requests: write + id-token: write uses: ./.github/workflows/build.yml - secrets: inherit + secrets: + NPM_TOKEN_ARTIFACTORY: ${{ secrets.NPM_TOKEN_ARTIFACTORY }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} with: canary-release-skip-checks: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.canary-release == 'Skip Tests and Checks (Force Release)' }} is-workflow-call: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 19fb3c88a2..e5be95cf89 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,13 @@ name: release on: workflow_call: + secrets: + SAP_CLOUD_SDK_BOT_CLIENT_ID: + required: true + SAP_CLOUD_SDK_BOT_PRIVATE_KEY: + required: true + +permissions: {} jobs: stable-release: @@ -17,6 +24,8 @@ jobs: private-key: ${{ secrets.SAP_CLOUD_SDK_BOT_PRIVATE_KEY }} owner: SAP repositories: cloud-sdk + permission-contents: write + permission-pull-requests: write - uses: sap/cloud-sdk-js/.github/actions/setup@main with: ref: 'main' diff --git a/.github/workflows/tests-windows.yml b/.github/workflows/tests-windows.yml index d4c2f9e3c1..1506063913 100644 --- a/.github/workflows/tests-windows.yml +++ b/.github/workflows/tests-windows.yml @@ -7,10 +7,14 @@ on: - 'docs/**' workflow_dispatch: +permissions: {} + jobs: tests: runs-on: windows-latest timeout-minutes: 30 + permissions: + contents: read steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main with: diff --git a/.github/workflows/typedoc.yml b/.github/workflows/typedoc.yml index 071649a31c..3970b80c43 100644 --- a/.github/workflows/typedoc.yml +++ b/.github/workflows/typedoc.yml @@ -8,9 +8,13 @@ on: paths-ignore: - 'docs/**' +permissions: {} + jobs: tests: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: sap/cloud-sdk-js/.github/actions/setup@main with: diff --git a/.github/zizmor.yml b/.github/zizmor.yml index a089f8ca20..cfd6d86871 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -3,14 +3,6 @@ rules: dependabot-cooldown: config: days: 4 - # requires more effort to fix - secrets-inherit: - ignore: - - bump.yml - - release-entry.yml - # requires more effort to fix - excessive-permissions: - disable: true dangerous-triggers: ignore: - auto-dependabot-fix.yml