Skip to content

Commit

Permalink
common: harden GitHub Actions
Browse files Browse the repository at this point in the history
  • Loading branch information
osalyk committed Sep 20, 2024
1 parent 9ef3c3e commit 63e8359
Show file tree
Hide file tree
Showing 17 changed files with 52 additions and 9 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/docker_rebuild.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@ env:
WORKDIR: utils/docker
PUSH_IMAGE: 1

permissions:
contents: read

jobs:
image:
if: github.repository == 'pmem/pmdk'
Expand Down
5 changes: 4 additions & 1 deletion .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,12 +5,15 @@ on:
workflow_dispatch:
pull_request:

permissions:
contents: read

jobs:
src_checkers:
name: Source checkers
runs-on: ubuntu-latest
permissions:
issues: read
issues: read
steps:
- name: Clone the git repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ env:
PMDK_CXX: g++
SRC_CHECKERS: 0

permissions:
contents: read

jobs:
in-tree:
name: In-tree
Expand Down
6 changes: 2 additions & 4 deletions .github/workflows/pmem_benchmark.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ on:
type: string
default: master

permissions:
contents: read

jobs:
prep_runtime:
name: Prepare runtime
runs-on: [self-hosted, benchmark]
permissions:
contents: read
steps:
- name: Clone the git repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
Expand All @@ -38,8 +38,6 @@ jobs:
GITHUB_REF: ${{ inputs.reference_ref }}
- ROLE: rival
GITHUB_REF: ${{ inputs.rival_ref }}
permissions:
contents: read
env:
MANIFEST: ${{ matrix.ROLE }}/manifest.txt
steps:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pmem_ras.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,9 @@ on:
# run this job every 8 hours
- cron: '0 */8 * * *'

permissions:
contents: read

jobs:
linux:
name: PMEM_RAS
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pmem_test_matrix.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ on:
type: number
default: 360 # The jobs.<job_id>.timeout-minutes default.

permissions:
contents: read

jobs:
job:
name: ${{ matrix.force_enable }}, ${{ matrix.test_script }}, ${{ matrix.os }}, ${{ matrix.build }}
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pmem_tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
# run this job at 18:00 UTC every day
- cron: '0 18 * * *'

permissions:
contents: read

jobs:
# Test the default build with the basic test suite.
Basic:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scan_bandit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ env:
PMREORDER: src/tools/pmreorder/*.py
CALL_STACKS_ANALYSIS: utils/call_stacks_analysis/*.py

permissions:
contents: read

jobs:
bandit:
name: Bandit
Expand Down
9 changes: 5 additions & 4 deletions .github/workflows/scan_codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,15 @@ name: CodeQL
on:
workflow_call:

permissions:
actions: read
contents: read
security-events: write

jobs:
codeql:
name: CodeQL
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

steps:
- name: Clone the git repo
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scan_coverage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ env:
TEST_BUILD: debug
FAULT_INJECTION: 1

permissions:
contents: read

jobs:
linux:
name: Linux
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scan_coverity.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ env:
VALGRIND: 1
COVERITY: 1

permissions:
contents: read

jobs:
linux:
name: Linux
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scan_documentation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ name: Documentation
on:
workflow_call:

permissions:
contents: read

jobs:
linux:
name: Documentation
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/scan_log_calls.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ on:
workflow_dispatch:
workflow_call:

permissions:
contents: read

jobs:
log-calls:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scan_stack_usage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
env:
CALL_STACKS_TOOLS_PATH: pmdk/utils/call_stacks_analysis

permissions:
contents: read

jobs:
stack-usage:
name: Stack usage
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scan_ubsan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ env:
UBSAN: 1
FAULT_INJECTION: 1

permissions:
contents: read

jobs:
linux:
name: Linux
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/scans.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
# run this job at 00:00 UTC every day
- cron: '0 0 * * *'

permissions:
contents: read

jobs:
call-bandit:
uses: ./.github/workflows/scan_bandit.yml
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ubuntu.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ env:
GITHUB_REPO: pmem/pmdk
DOCKER_REPO: ghcr.io/pmem/pmdk

permissions:
contents: read

jobs:
linux:
name: Linux
Expand Down

0 comments on commit 63e8359

Please sign in to comment.