diff --git a/.github/workflows/docker_rebuild.yml b/.github/workflows/docker_rebuild.yml index 5a46d3cf4f..bda0084213 100644 --- a/.github/workflows/docker_rebuild.yml +++ b/.github/workflows/docker_rebuild.yml @@ -23,6 +23,8 @@ env: WORKDIR: utils/docker PUSH_IMAGE: 1 +permissions: {} + jobs: image: if: github.repository == 'pmem/pmdk' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1b90f3efbd..08d6c815e7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -5,6 +5,8 @@ on: workflow_dispatch: pull_request: +permissions: {} + jobs: src_checkers: name: Source checkers diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 7fe5abd335..4e73fff0f9 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -19,6 +19,8 @@ env: PMDK_CXX: g++ SRC_CHECKERS: 0 +permissions: {} + jobs: in-tree: name: In-tree diff --git a/.github/workflows/pmem_benchmark.yml b/.github/workflows/pmem_benchmark.yml index 5a3c5e8a52..2882d5d266 100644 --- a/.github/workflows/pmem_benchmark.yml +++ b/.github/workflows/pmem_benchmark.yml @@ -10,13 +10,12 @@ on: type: string default: master +permissions: {} jobs: prep_runtime: name: Prepare runtime runs-on: [self-hosted, benchmark] - permissions: - contents: read steps: - name: Clone the git repo uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 @@ -38,8 +37,6 @@ jobs: GITHUB_REF: ${{ inputs.reference_ref }} - ROLE: rival GITHUB_REF: ${{ inputs.rival_ref }} - permissions: - contents: read env: MANIFEST: ${{ matrix.ROLE }}/manifest.txt steps: diff --git a/.github/workflows/pmem_ras.yml b/.github/workflows/pmem_ras.yml index 6fd11d1166..c4d0b4f639 100644 --- a/.github/workflows/pmem_ras.yml +++ b/.github/workflows/pmem_ras.yml @@ -30,6 +30,8 @@ on: # run this job every 8 hours - cron: '0 */8 * * *' +permissions: {} + jobs: linux: name: PMEM_RAS diff --git a/.github/workflows/pmem_test_matrix.yml b/.github/workflows/pmem_test_matrix.yml index b337893c1a..453585969a 100644 --- a/.github/workflows/pmem_test_matrix.yml +++ b/.github/workflows/pmem_test_matrix.yml @@ -17,6 +17,8 @@ on: type: number default: 360 # The jobs..timeout-minutes default. +permissions: {} + jobs: job: name: ${{ matrix.force_enable }}, ${{ matrix.test_script }}, ${{ matrix.os }}, ${{ matrix.build }} diff --git a/.github/workflows/pmem_tests.yml b/.github/workflows/pmem_tests.yml index 1bf9a1b22c..b16cdd2f2d 100644 --- a/.github/workflows/pmem_tests.yml +++ b/.github/workflows/pmem_tests.yml @@ -9,6 +9,8 @@ on: # run this job at 18:00 UTC every day - cron: '0 18 * * *' +permissions: {} + jobs: # Test the default build with the basic test suite. Basic: diff --git a/.github/workflows/scan_bandit.yml b/.github/workflows/scan_bandit.yml index c7b6030030..1295541946 100644 --- a/.github/workflows/scan_bandit.yml +++ b/.github/workflows/scan_bandit.yml @@ -9,6 +9,8 @@ env: PMREORDER: src/tools/pmreorder/*.py CALL_STACKS_ANALYSIS: utils/call_stacks_analysis/*.py +permissions: {} + jobs: bandit: name: Bandit diff --git a/.github/workflows/scan_codeql.yml b/.github/workflows/scan_codeql.yml index 85d10c8791..2c1274f0de 100644 --- a/.github/workflows/scan_codeql.yml +++ b/.github/workflows/scan_codeql.yml @@ -4,14 +4,15 @@ name: CodeQL on: workflow_call: +permissions: + actions: read + contents: read + security-events: write + jobs: codeql: name: CodeQL runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write steps: - name: Clone the git repo diff --git a/.github/workflows/scan_coverage.yml b/.github/workflows/scan_coverage.yml index 410728d0cc..1583c69e0e 100644 --- a/.github/workflows/scan_coverage.yml +++ b/.github/workflows/scan_coverage.yml @@ -24,6 +24,8 @@ env: TEST_BUILD: debug FAULT_INJECTION: 1 +permissions: {} + jobs: linux: name: Linux diff --git a/.github/workflows/scan_coverity.yml b/.github/workflows/scan_coverity.yml index 575f7b04c6..cb6b49bb70 100644 --- a/.github/workflows/scan_coverity.yml +++ b/.github/workflows/scan_coverity.yml @@ -21,6 +21,8 @@ env: VALGRIND: 1 COVERITY: 1 +permissions: {} + jobs: linux: name: Linux diff --git a/.github/workflows/scan_documentation.yml b/.github/workflows/scan_documentation.yml index bfe4b48d32..2ee91a4a26 100644 --- a/.github/workflows/scan_documentation.yml +++ b/.github/workflows/scan_documentation.yml @@ -4,6 +4,8 @@ name: Documentation on: workflow_call: +permissions: {} + jobs: linux: name: Documentation diff --git a/.github/workflows/scan_log_calls.yml b/.github/workflows/scan_log_calls.yml index b5d5b64673..12c4bf6700 100644 --- a/.github/workflows/scan_log_calls.yml +++ b/.github/workflows/scan_log_calls.yml @@ -5,6 +5,7 @@ on: workflow_dispatch: workflow_call: +permissions: {} jobs: log-calls: diff --git a/.github/workflows/scan_stack_usage.yml b/.github/workflows/scan_stack_usage.yml index fc786695c3..416fafe24f 100644 --- a/.github/workflows/scan_stack_usage.yml +++ b/.github/workflows/scan_stack_usage.yml @@ -8,6 +8,8 @@ on: env: CALL_STACKS_TOOLS_PATH: pmdk/utils/call_stacks_analysis +permissions: {} + jobs: stack-usage: name: Stack usage diff --git a/.github/workflows/scan_ubsan.yml b/.github/workflows/scan_ubsan.yml index a18c1b5ac0..9d5065143b 100644 --- a/.github/workflows/scan_ubsan.yml +++ b/.github/workflows/scan_ubsan.yml @@ -18,6 +18,8 @@ env: UBSAN: 1 FAULT_INJECTION: 1 +permissions: {} + jobs: linux: name: Linux diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml index 7bafd77ad0..a8f7d4d14a 100644 --- a/.github/workflows/scans.yml +++ b/.github/workflows/scans.yml @@ -7,6 +7,8 @@ on: # run this job at 00:00 UTC every day - cron: '0 0 * * *' +permissions: {} + jobs: call-bandit: uses: ./.github/workflows/scan_bandit.yml @@ -14,6 +16,10 @@ jobs: call-codeql: uses: ./.github/workflows/scan_codeql.yml name: CodeQL + permissions: + actions: read + contents: read + security-events: write call-coverity: uses: ./.github/workflows/scan_coverity.yml secrets: diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index edce664f50..846ba06c84 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -8,6 +8,8 @@ env: GITHUB_REPO: pmem/pmdk DOCKER_REPO: ghcr.io/pmem/pmdk +permissions: {} + jobs: linux: name: Linux