Skip to content

Commit 0b4fce5

Browse files
committed
Update Pull Request workflow job permissions
Adds the `packages:write` permission to the Build Kayobe Image job in the workflow (required for `docker/build-push-action`) and ensures all other jobs don't have this permission.
1 parent 4f31e72 commit 0b4fce5

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

.github/workflows/stackhpc-pull-request.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@ jobs:
1616
runs-on: ubuntu-22.04
1717
permissions:
1818
pull-requests: read
19+
packages: none
1920
name: Check changed files
2021
if: github.repository == 'stackhpc/stackhpc-kayobe-config'
2122
needs:
@@ -111,6 +112,9 @@ jobs:
111112

112113
build-kayobe-image:
113114
name: Build Kayobe Image
115+
permissions:
116+
contents: read
117+
packages: write # required by docker/build-push-action
114118
needs:
115119
- check-changes
116120
uses: ./.github/workflows/stackhpc-build-kayobe-image.yml
@@ -120,6 +124,7 @@ jobs:
120124

121125
check-tags:
122126
name: Check container image tags
127+
permissions: {}
123128
needs:
124129
- check-changes
125130
- build-kayobe-image
@@ -149,6 +154,7 @@ jobs:
149154

150155
all-in-one-ubuntu-noble-ovn:
151156
name: aio (Ubuntu Noble OVN)
157+
permissions: {}
152158
needs:
153159
- check-changes
154160
- build-kayobe-image
@@ -166,6 +172,7 @@ jobs:
166172

167173
all-in-one-rocky-9-ovs:
168174
name: aio (Rocky 9 OVS)
175+
permissions: {}
169176
needs:
170177
- check-changes
171178
- build-kayobe-image
@@ -183,6 +190,7 @@ jobs:
183190

184191
all-in-one-rocky-9-ovn:
185192
name: aio (Rocky 9 OVN)
193+
permissions: {}
186194
needs:
187195
- check-changes
188196
- build-kayobe-image
@@ -202,6 +210,7 @@ jobs:
202210

203211
all-in-one-upgrade-ubuntu-jammy-ovn:
204212
name: aio upgrade (Ubuntu Jammy OVN)
213+
permissions: {}
205214
needs:
206215
- check-changes
207216
- build-kayobe-image
@@ -220,6 +229,7 @@ jobs:
220229

221230
all-in-one-upgrade-rocky-9-ovn:
222231
name: aio upgrade (Rocky 9 OVN)
232+
permissions: {}
223233
needs:
224234
- check-changes
225235
- build-kayobe-image
@@ -238,6 +248,7 @@ jobs:
238248

239249
all-in-one-upgrade-rocky-9-ovs:
240250
name: aio upgrade (Rocky 9 OVS)
251+
permissions: {}
241252
needs:
242253
- check-changes
243254
- build-kayobe-image

0 commit comments

Comments
 (0)