From b34b2c8e266b1474a7e70a029ab28f4939193519 Mon Sep 17 00:00:00 2001 From: TianlongLiang <111852609+TianlongLiang@users.noreply.github.com> Date: Tue, 22 Oct 2024 09:13:55 +0800 Subject: [PATCH] Add token permissions for CIs to fix issues reported by scorecard (#3867) --- .github/workflows/build_docker_images.yml | 5 ++ .github/workflows/build_iwasm_release.yml | 6 +++ .github/workflows/build_llvm_libraries.yml | 6 +++ .github/workflows/build_wamr_lldb.yml | 8 +++ .github/workflows/build_wamr_sdk.yml | 6 +++ .github/workflows/build_wamr_vscode_ext.yml | 6 +++ .github/workflows/build_wamrc.yml | 6 +++ .github/workflows/codeql.yml | 12 +++-- .github/workflows/coding_guidelines.yml | 3 ++ .../compilation_on_android_ubuntu.yml | 6 +++ .github/workflows/compilation_on_macos.yml | 9 ++++ .github/workflows/compilation_on_nuttx.yml | 3 ++ .github/workflows/compilation_on_sgx.yml | 6 +++ .github/workflows/compilation_on_windows.yml | 3 ++ .github/workflows/create_tag.yml | 5 ++ .github/workflows/hadolint_dockerfiles.yml | 3 ++ .github/workflows/nightly_run.yml | 9 ++++ .github/workflows/release_process.yml | 51 +++++++++++++++++++ .../reuse_latest_release_binaries.yml | 6 +++ .github/workflows/spec_test_on_nuttx.yml | 9 ++++ 20 files changed, 164 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml index d5bf682c4e..f7643af3fd 100644 --- a/.github/workflows/build_docker_images.yml +++ b/.github/workflows/build_docker_images.yml @@ -15,9 +15,14 @@ on: type: string required: true +permissions: + contents: read + jobs: build-and-push-images: runs-on: ubuntu-22.04 + permissions: + contents: write # for uploading release artifacts steps: - name: Checkout repository diff --git a/.github/workflows/build_iwasm_release.yml b/.github/workflows/build_iwasm_release.yml index c0a6f68bde..74c2340af9 100644 --- a/.github/workflows/build_iwasm_release.yml +++ b/.github/workflows/build_iwasm_release.yml @@ -87,6 +87,9 @@ env: -DWAMR_BUILD_EXCE_HANDLING=1 \ -DWAMR_BUILD_GC=1" +permissions: + contents: read + jobs: build: runs-on: ${{ inputs.runner }} @@ -97,6 +100,9 @@ jobs: suffix: '' - build_options: $GC_EH_BUILD_OPTIONS suffix: '-gc-eh' + permissions: + contents: write # for uploading release artifacts + steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/build_llvm_libraries.yml b/.github/workflows/build_llvm_libraries.yml index 80a2bf672b..bdfd4fcb2c 100644 --- a/.github/workflows/build_llvm_libraries.yml +++ b/.github/workflows/build_llvm_libraries.yml @@ -27,6 +27,9 @@ on: description: "A cached key of LLVM libraries" value: ${{ jobs.build_llvm_libraries.outputs.key}} +permissions: + contents: read + jobs: build_llvm_libraries: runs-on: ${{ inputs.os }} @@ -36,6 +39,9 @@ jobs: image: ${{ inputs.container_image }} outputs: key: ${{ steps.create_lib_cache_key.outputs.key}} + permissions: + contents: read + actions: write # for uploading cached artifact steps: - name: checkout diff --git a/.github/workflows/build_wamr_lldb.yml b/.github/workflows/build_wamr_lldb.yml index 03474c53e1..b5cf53a4ce 100644 --- a/.github/workflows/build_wamr_lldb.yml +++ b/.github/workflows/build_wamr_lldb.yml @@ -28,8 +28,13 @@ on: required: false default: "https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-20/wasi-sdk-20.0-linux.tar.gz" +permissions: + contents: read + jobs: try_reuse: + permissions: + contents: write # for uploading release artifacts uses: ./.github/workflows/reuse_latest_release_binaries.yml with: binary_name_stem: "wamr-lldb-${{ inputs.ver_num }}-${{ inputs.arch }}-${{ inputs.runner }}" @@ -46,6 +51,9 @@ jobs: PYTHON_VERSION: '3.10' PYTHON_UBUNTU_STANDALONE_BUILD: https://github.com/indygreg/python-build-standalone/releases/download/20230507/cpython-3.10.11+20230507-x86_64-unknown-linux-gnu-install_only.tar.gz PYTHON_MACOS_STANDALONE_BUILD: https://github.com/indygreg/python-build-standalone/releases/download/20230507/cpython-3.10.11+20230507-x86_64-apple-darwin-install_only.tar.gz + permissions: + contents: write # for uploading release artifacts + steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/build_wamr_sdk.yml b/.github/workflows/build_wamr_sdk.yml index 519bf96367..266c3a6466 100644 --- a/.github/workflows/build_wamr_sdk.yml +++ b/.github/workflows/build_wamr_sdk.yml @@ -35,9 +35,15 @@ on: type: string required: true +permissions: + contents: read + jobs: build: runs-on: ${{ inputs.runner }} + permissions: + contents: write # for uploading release artifacts + steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/build_wamr_vscode_ext.yml b/.github/workflows/build_wamr_vscode_ext.yml index 756215e600..d0fa3b18ee 100644 --- a/.github/workflows/build_wamr_vscode_ext.yml +++ b/.github/workflows/build_wamr_vscode_ext.yml @@ -14,9 +14,15 @@ on: type: string required: true +permissions: + contents: read + jobs: build: runs-on: ubuntu-22.04 + permissions: + contents: write # for uploading release artifacts + steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/build_wamrc.yml b/.github/workflows/build_wamrc.yml index e88a04a9ea..6b687c749d 100644 --- a/.github/workflows/build_wamrc.yml +++ b/.github/workflows/build_wamrc.yml @@ -31,9 +31,15 @@ on: type: string required: false +permissions: + contents: read + jobs: build: runs-on: ${{ inputs.runner }} + permissions: + contents: write # for uploading release artifacts + steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 965a27aa65..ada492a88c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -19,6 +19,9 @@ on: # allow to be triggered manually workflow_dispatch: +permissions: + contents: read + jobs: analyze: if: github.repository == 'bytecodealliance/wasm-micro-runtime' @@ -30,10 +33,6 @@ jobs: # Consider using larger runners for possible analysis time improvements. runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }} timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - actions: read - contents: read - security-events: write strategy: fail-fast: false @@ -41,6 +40,11 @@ jobs: language: [ 'cpp' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + permissions: + contents: read + actions: read + security-events: write + steps: - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/coding_guidelines.yml b/.github/workflows/coding_guidelines.yml index b0aa0a2b86..5692377782 100644 --- a/.github/workflows/coding_guidelines.yml +++ b/.github/workflows/coding_guidelines.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: compliance_job: runs-on: ubuntu-20.04 diff --git a/.github/workflows/compilation_on_android_ubuntu.yml b/.github/workflows/compilation_on_android_ubuntu.yml index 6be445944f..8ba6e0e809 100644 --- a/.github/workflows/compilation_on_android_ubuntu.yml +++ b/.github/workflows/compilation_on_android_ubuntu.yml @@ -70,8 +70,14 @@ env: MEMORY64_TEST_OPTIONS: "-s spec -W -b -P" MULTI_MEMORY_TEST_OPTIONS: "-s spec -E -b -P" +permissions: + contents: read + jobs: build_llvm_libraries_on_ubuntu_2204: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "ubuntu-22.04" diff --git a/.github/workflows/compilation_on_macos.yml b/.github/workflows/compilation_on_macos.yml index 5b1edac85b..66938905cc 100644 --- a/.github/workflows/compilation_on_macos.yml +++ b/.github/workflows/compilation_on_macos.yml @@ -52,13 +52,22 @@ env: LLVM_LAZY_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=1" LLVM_EAGER_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0" +permissions: + contents: read + jobs: build_llvm_libraries_on_intel_macos: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "macos-13" arch: "X86" build_llvm_libraries_on_arm_macos: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "macos-14" diff --git a/.github/workflows/compilation_on_nuttx.yml b/.github/workflows/compilation_on_nuttx.yml index e10784fe23..ef0799b42b 100644 --- a/.github/workflows/compilation_on_nuttx.yml +++ b/.github/workflows/compilation_on_nuttx.yml @@ -46,6 +46,9 @@ concurrency: env: WASI_SDK_PATH: "/opt/wasi-sdk" +permissions: + contents: read + jobs: build_iwasm_on_nuttx: runs-on: ubuntu-latest diff --git a/.github/workflows/compilation_on_sgx.yml b/.github/workflows/compilation_on_sgx.yml index b7bc216eb5..70597c366a 100644 --- a/.github/workflows/compilation_on_sgx.yml +++ b/.github/workflows/compilation_on_sgx.yml @@ -54,8 +54,14 @@ env: LLVM_LAZY_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=1" LLVM_EAGER_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0" +permissions: + contents: read + jobs: build_llvm_libraries: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "ubuntu-20.04" diff --git a/.github/workflows/compilation_on_windows.yml b/.github/workflows/compilation_on_windows.yml index 8c5db4fdf1..369980ba94 100644 --- a/.github/workflows/compilation_on_windows.yml +++ b/.github/workflows/compilation_on_windows.yml @@ -53,6 +53,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: runs-on: windows-latest diff --git a/.github/workflows/create_tag.yml b/.github/workflows/create_tag.yml index 5480592a93..7a90ea5f74 100644 --- a/.github/workflows/create_tag.yml +++ b/.github/workflows/create_tag.yml @@ -15,6 +15,9 @@ on: description: "the new tag just created" value: ${{ jobs.create_tag.outputs.new_tag}} +permissions: + contents: read + jobs: create_tag: runs-on: ubuntu-latest @@ -22,6 +25,8 @@ jobs: minor_version: ${{ steps.preparation.outputs.minor_version }} new_ver: ${{ steps.preparation.outputs.new_ver }} new_tag: ${{ steps.preparation.outputs.new_tag }} + permissions: + contents: write # create and push tags steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/hadolint_dockerfiles.yml b/.github/workflows/hadolint_dockerfiles.yml index c540649c89..f9d8c38934 100644 --- a/.github/workflows/hadolint_dockerfiles.yml +++ b/.github/workflows/hadolint_dockerfiles.yml @@ -28,6 +28,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: run-hadolint-on-dockerfiles: runs-on: ubuntu-22.04 diff --git a/.github/workflows/nightly_run.yml b/.github/workflows/nightly_run.yml index 5149c830fa..5e9b4a4f29 100644 --- a/.github/workflows/nightly_run.yml +++ b/.github/workflows/nightly_run.yml @@ -44,13 +44,22 @@ env: X86_32_TARGET_TEST_OPTIONS: "-m x86_32 -P" WASI_TEST_OPTIONS: "-s wasi_certification -w" +permissions: + contents: read + jobs: build_llvm_libraries_on_ubuntu_2004: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "ubuntu-20.04" arch: "X86" build_llvm_libraries_on_ubuntu_2204: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "ubuntu-22.04" diff --git a/.github/workflows/release_process.yml b/.github/workflows/release_process.yml index b9d27d07a3..031d578841 100644 --- a/.github/workflows/release_process.yml +++ b/.github/workflows/release_process.yml @@ -18,11 +18,18 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: create_tag: + permissions: + contents: write # create and push tags uses: ./.github/workflows/create_tag.yml create_release: + permissions: + contents: write # create release needs: [create_tag] runs-on: ubuntu-latest outputs: @@ -52,6 +59,9 @@ jobs: # # LLVM_LIBRARIES build_llvm_libraries_on_ubuntu_2004: + permissions: + contents: read + actions: write needs: [create_tag, create_release] uses: ./.github/workflows/build_llvm_libraries.yml with: @@ -59,6 +69,9 @@ jobs: arch: "AArch64 ARM Mips RISCV X86" build_llvm_libraries_on_ubuntu_2204: + permissions: + contents: read + actions: write needs: [create_tag, create_release] uses: ./.github/workflows/build_llvm_libraries.yml with: @@ -66,6 +79,9 @@ jobs: arch: "AArch64 ARM Mips RISCV X86" build_llvm_libraries_on_macos: + permissions: + contents: read + actions: write needs: [create_tag, create_release] uses: ./.github/workflows/build_llvm_libraries.yml with: @@ -73,6 +89,9 @@ jobs: arch: "AArch64 ARM Mips RISCV X86" build_llvm_libraries_on_windows: + permissions: + contents: read + actions: write needs: [create_tag, create_release] uses: ./.github/workflows/build_llvm_libraries.yml with: @@ -82,6 +101,8 @@ jobs: # # WAMRC release_wamrc_on_ubuntu_2004: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2004] uses: ./.github/workflows/build_wamrc.yml with: @@ -92,6 +113,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver}} release_wamrc_on_ubuntu_2204: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2204 ] uses: ./.github/workflows/build_wamrc.yml with: @@ -102,6 +125,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver }} release_wamrc_on_ubuntu_macos: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_macos] uses: ./.github/workflows/build_wamrc.yml with: @@ -112,6 +137,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver }} release_wamrc_on_windows: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_windows] uses: ./.github/workflows/build_wamrc.yml with: @@ -124,6 +151,8 @@ jobs: # # IWASM release_iwasm_on_ubuntu_2004: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2004] uses: ./.github/workflows/build_iwasm_release.yml with: @@ -134,6 +163,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver}} release_iwasm_on_ubuntu_2204: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_ubuntu_2204] uses: ./.github/workflows/build_iwasm_release.yml with: @@ -144,6 +175,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver}} release_iwasm_on_macos: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_macos] uses: ./.github/workflows/build_iwasm_release.yml with: @@ -154,6 +187,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver}} release_iwasm_on_windows: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release, build_llvm_libraries_on_windows] uses: ./.github/workflows/build_iwasm_release.yml with: @@ -166,6 +201,8 @@ jobs: # # WAMR_SDK release_wamr_sdk_on_ubuntu_2004: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_wamr_sdk.yml with: @@ -177,6 +214,8 @@ jobs: wamr_app_framework_url: https://github.com/bytecodealliance/wamr-app-framework.git release_wamr_sdk_on_ubuntu_2204: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_wamr_sdk.yml with: @@ -188,6 +227,8 @@ jobs: wamr_app_framework_url: https://github.com/bytecodealliance/wamr-app-framework.git release_wamr_sdk_on_macos: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_wamr_sdk.yml with: @@ -201,6 +242,8 @@ jobs: # # vscode extension cross-platform release_wamr_ide_vscode_ext: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_wamr_vscode_ext.yml secrets: inherit @@ -211,6 +254,8 @@ jobs: # # vscode extension docker images package release_wamr_ide_docker_images_package: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_docker_images.yml with: @@ -220,6 +265,8 @@ jobs: # # WAMR_LLDB release_wamr_lldb_on_ubuntu_2004: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_wamr_lldb.yml with: @@ -228,6 +275,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver}} release_wamr_lldb_on_ubuntu_2204: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_wamr_lldb.yml with: @@ -236,6 +285,8 @@ jobs: ver_num: ${{ needs.create_tag.outputs.new_ver}} release_wamr_lldb_on_macos_universal: + permissions: + contents: write # upload release artifact needs: [create_tag, create_release] uses: ./.github/workflows/build_wamr_lldb.yml with: diff --git a/.github/workflows/reuse_latest_release_binaries.yml b/.github/workflows/reuse_latest_release_binaries.yml index c9832cec95..77fe7329f5 100644 --- a/.github/workflows/reuse_latest_release_binaries.yml +++ b/.github/workflows/reuse_latest_release_binaries.yml @@ -22,11 +22,17 @@ on: result: value: ${{ jobs.build.outputs.result }} +permissions: + contents: read + jobs: reuse: runs-on: ubuntu-latest outputs: result: ${{ steps.try_reuse.outputs.result }} + permissions: + contents: write # for creating realease and uploading release artifacts + steps: - uses: actions/checkout@v4 # Full git history is needed to get a proper list of commits and tags diff --git a/.github/workflows/spec_test_on_nuttx.yml b/.github/workflows/spec_test_on_nuttx.yml index 3b63deac81..31427d43fc 100644 --- a/.github/workflows/spec_test_on_nuttx.yml +++ b/.github/workflows/spec_test_on_nuttx.yml @@ -29,8 +29,14 @@ env: LLVM_CACHE_SUFFIX: "build-llvm_libraries_ex" WASI_SDK_PATH: "/opt/wasi-sdk" +permissions: + contents: read + jobs: build_llvm_libraries: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "ubuntu-22.04" @@ -38,6 +44,9 @@ jobs: container_image: ghcr.io/no1wudi/nuttx/apache-nuttx-ci-linux@sha256:8c4e00b607d4d6d66ba8f51c4544819a616eac69d3a2ac669e2af2150e2eb0f9 build_llvm_libraries_xtensa: + permissions: + contents: read + actions: write uses: ./.github/workflows/build_llvm_libraries.yml with: os: "ubuntu-22.04"