Skip to content

Commit 2f7257c

Browse files
xmudriixmudrii
authored
Address Scorecard Token-Permissions and Pinned-Dependencies (#252)
On-behalf-of: @SAP marko.mudrinic@sap.com Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
1 parent 66f825e commit 2f7257c

4 files changed

Lines changed: 27 additions & 23 deletions

File tree

.github/workflows/auto-labeler.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,11 @@ on:
88

99
permissions:
1010
contents: read
11-
pull-requests: write
12-
issues: write
1311

1412
jobs:
1513
auto-labeler:
1614
if: github.event.pull_request.head.repo.full_name == github.repository
17-
uses: platform-mesh/.github/.github/workflows/job-auto-labeler.yml@main
15+
uses: platform-mesh/.github/.github/workflows/job-auto-labeler.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
16+
permissions:
17+
pull-requests: write
18+
issues: write

.github/workflows/ci.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,18 +15,18 @@ concurrency:
1515

1616
jobs:
1717
lint:
18-
uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main
18+
uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
1919
with:
2020
useTask: true
2121

2222
test:
23-
uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main
23+
uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
2424
with:
2525
useTask: true
2626
useLocalCoverageConfig: true
2727

2828
docker-build:
29-
uses: platform-mesh/.github/.github/workflows/job-docker-build.yml@main
29+
uses: platform-mesh/.github/.github/workflows/job-docker-build.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
3030
with:
3131
imageTagName: ghcr.io/platform-mesh/account-operator
3232

.github/workflows/ossf-scorecard.yml

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,7 @@ permissions: read-all
1010

1111
jobs:
1212
scorecard:
13-
uses: platform-mesh/.github/.github/workflows/job-ossf-scorecard.yml@main
13+
uses: platform-mesh/.github/.github/workflows/job-ossf-scorecard.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
1414
permissions:
1515
security-events: write
1616
id-token: write
17-
contents: read
18-
actions: read

.github/workflows/release.yml

Lines changed: 19 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -6,46 +6,47 @@ on:
66
- main
77

88
permissions:
9-
contents: write
10-
id-token: write
11-
issues: write
12-
packages: write
13-
pull-requests: write
14-
attestations: write
9+
contents: read
1510

1611
concurrency:
1712
group: release-${{ github.ref }}
1813
cancel-in-progress: false
1914

2015
jobs:
2116
lint:
22-
uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main
17+
uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
2318
with:
2419
useTask: true
2520

2621
test:
27-
uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@main
22+
uses: platform-mesh/.github/.github/workflows/job-golang-test-source.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
2823
secrets: inherit
2924
with:
3025
useTask: true
3126
useLocalCoverageConfig: true
3227

3328
create-version:
34-
uses: platform-mesh/.github/.github/workflows/job-create-version.yml@main
29+
uses: platform-mesh/.github/.github/workflows/job-create-version.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
3530
secrets: inherit
31+
permissions:
32+
contents: write
3633

3734
docker-build-push:
3835
needs: [create-version, lint, test]
39-
uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main
36+
uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
37+
secrets: inherit
38+
permissions:
39+
contents: write
40+
packages: write
41+
id-token: write
4042
with:
4143
imageTagName: ghcr.io/platform-mesh/account-operator
4244
version: ${{ needs.create-version.outputs.version }}
4345
multiarch: true
44-
secrets: inherit
4546

4647
update-version:
4748
needs: [create-version, docker-build-push]
48-
uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@main
49+
uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
4950
secrets: inherit
5051
with:
5152
appVersion: ${{ needs.create-version.outputs.version }}
@@ -54,14 +55,18 @@ jobs:
5455

5556
sbom:
5657
needs: [create-version, docker-build-push]
57-
uses: platform-mesh/.github/.github/workflows/job-sbom.yml@main
58+
uses: platform-mesh/.github/.github/workflows/job-sbom.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
59+
permissions:
60+
packages: read
5861
with:
5962
imageReference: ghcr.io/platform-mesh/account-operator:${{ needs.create-version.outputs.version }}
6063

6164
image-ocm:
6265
needs: [create-version, docker-build-push, sbom]
63-
uses: platform-mesh/.github/.github/workflows/job-image-ocm.yml@main
66+
uses: platform-mesh/.github/.github/workflows/job-image-ocm.yml@9ddacafbe3260312cb1cc3f9974ad2fece8effe0
6467
secrets: inherit
68+
permissions:
69+
packages: write
6570
with:
6671
imageReference: ghcr.io/platform-mesh/account-operator:${{ needs.create-version.outputs.version }}
6772
appVersion: ${{ needs.create-version.outputs.version }}

0 commit comments

Comments
 (0)