diff --git a/.github/workflows/boil_pr.yaml b/.github/workflows/boil_pr.yaml index 2d548d9d1..9f34b5bc7 100644 --- a/.github/workflows/boil_pr.yaml +++ b/.github/workflows/boil_pr.yaml @@ -9,6 +9,9 @@ on: - "rust/boil/**.rs" - "Cargo.*" +permissions: + contents: read + env: RUST_VERSION: 1.89.0 @@ -29,7 +32,6 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - submodules: recursive - name: Run cargo-deny uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15 diff --git a/.github/workflows/boil_release.yaml b/.github/workflows/boil_release.yaml index 7121ed7ea..be071fee8 100644 --- a/.github/workflows/boil_release.yaml +++ b/.github/workflows/boil_release.yaml @@ -6,6 +6,8 @@ on: tags: - "boil-[0-9]+.[0-9]+.[0-9]+**" +permissions: {} + env: RUST_VERSION: 1.89.0 @@ -13,6 +15,10 @@ jobs: create-release: name: Create Draft Release runs-on: ubuntu-latest + permissions: + # Write is needed to draft the release + # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281 + contents: write steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -44,6 +50,10 @@ jobs: - { target: x86_64-unknown-linux-gnu, os: ubuntu-latest } - { target: aarch64-apple-darwin, os: macos-latest } runs-on: ${{ matrix.targets.os }} + permissions: + # Write is needed to upload artifacts to the release + # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281 + contents: write steps: - name: Checkout uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -74,6 +84,10 @@ jobs: finish-release: needs: [build] runs-on: ubuntu-latest + permissions: + # Write is needed to finalize the release + # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281 + contents: write steps: - name: Finish Release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 diff --git a/.github/workflows/build_airflow.yaml b/.github/workflows/build_airflow.yaml index f12d5c726..3c052be00 100644 --- a/.github/workflows/build_airflow.yaml +++ b/.github/workflows/build_airflow.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 0 1/2 * *' # https://crontab.guru/#0_0_1/2_*_* + - cron: 0 0 1/2 * * # https://crontab.guru/#0_0_1/2_*_* push: branches: [main] tags: @@ -22,6 +22,8 @@ on: - .github/workflows/build_airflow.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -29,6 +31,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: airflow sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_druid.yaml b/.github/workflows/build_druid.yaml index c22c3d869..713422310 100644 --- a/.github/workflows/build_druid.yaml +++ b/.github/workflows/build_druid.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 1 1/2 * *' # https://crontab.guru/#0_1_1/2_*_* + - cron: 0 1 1/2 * * # https://crontab.guru/#0_1_1/2_*_* push: branches: [main] tags: @@ -24,6 +24,8 @@ on: - .github/workflows/build_druid.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -31,6 +33,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: druid sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_hadoop.yaml b/.github/workflows/build_hadoop.yaml index 3abe2184f..b2c47f02c 100644 --- a/.github/workflows/build_hadoop.yaml +++ b/.github/workflows/build_hadoop.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 2 1/2 * *' # https://crontab.guru/#0_2_1/2_*_* + - cron: 0 2 1/2 * * # https://crontab.guru/#0_2_1/2_*_* push: branches: [main] tags: @@ -24,6 +24,8 @@ on: - .github/workflows/build_hadoop.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -31,6 +33,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: hadoop sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_hbase.yaml b/.github/workflows/build_hbase.yaml index 540099475..9d5022e78 100644 --- a/.github/workflows/build_hbase.yaml +++ b/.github/workflows/build_hbase.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 0 2/2 * *' # https://crontab.guru/#0_0_2/2_*_* + - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_* push: branches: [main] tags: @@ -25,6 +25,8 @@ on: - .github/workflows/build_hbase.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -32,6 +34,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: hbase sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_hive.yaml b/.github/workflows/build_hive.yaml index 5b32d1dc5..8a5b4e02a 100644 --- a/.github/workflows/build_hive.yaml +++ b/.github/workflows/build_hive.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: "0 2 2/2 * *" # https://crontab.guru/#0_2_2/2_*_* + - cron: 0 2 2/2 * * # https://crontab.guru/#0_2_2/2_*_* push: branches: [main] tags: @@ -25,6 +25,8 @@ on: - .github/workflows/build_hive.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -32,6 +34,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: hive sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_java-base.yaml b/.github/workflows/build_java-base.yaml index 4c3f5f79f..5ec426eab 100644 --- a/.github/workflows/build_java-base.yaml +++ b/.github/workflows/build_java-base.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 0 1/2 * *' # https://crontab.guru/#0_0_1/2_*_* + - cron: 0 0 1/2 * * # https://crontab.guru/#0_0_1/2_*_* push: branches: [main] tags: @@ -20,6 +20,8 @@ on: - .github/workflows/build_java-base.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -27,6 +29,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: java-base sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_java-devel.yaml b/.github/workflows/build_java-devel.yaml index 9cbd5cc17..852ea27f8 100644 --- a/.github/workflows/build_java-devel.yaml +++ b/.github/workflows/build_java-devel.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 1 1/2 * *' # https://crontab.guru/#0_1_1/2_*_* + - cron: 0 1 1/2 * * # https://crontab.guru/#0_1_1/2_*_* push: branches: [main] tags: @@ -20,6 +20,8 @@ on: - .github/workflows/build_java-devel.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -27,6 +29,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: java-devel sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_kafka-testing-tools.yaml b/.github/workflows/build_kafka-testing-tools.yaml index ae5709f8c..2f86355b5 100644 --- a/.github/workflows/build_kafka-testing-tools.yaml +++ b/.github/workflows/build_kafka-testing-tools.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 2 1/2 * *' # https://crontab.guru/#0_2_1/2_*_* + - cron: 0 2 1/2 * * # https://crontab.guru/#0_2_1/2_*_* push: branches: [main] tags: @@ -24,6 +24,8 @@ on: - .github/workflows/build_kafka-testing-tools.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -31,6 +33,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: kafka-testing-tools sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_kafka.yaml b/.github/workflows/build_kafka.yaml index c0b73cb01..1877c28d9 100644 --- a/.github/workflows/build_kafka.yaml +++ b/.github/workflows/build_kafka.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 0 2/2 * *' # https://crontab.guru/#0_0_2/2_*_* + - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_* push: branches: [main] tags: @@ -25,6 +25,8 @@ on: - .github/workflows/build_kafka.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -32,6 +34,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: kafka sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_krb5.yaml b/.github/workflows/build_krb5.yaml index 820adca84..7ce72f738 100644 --- a/.github/workflows/build_krb5.yaml +++ b/.github/workflows/build_krb5.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 2 2/2 * *' # https://crontab.guru/#0_2_2/2_*_* + - cron: 0 2 2/2 * * # https://crontab.guru/#0_2_2/2_*_* push: branches: [main] tags: @@ -20,6 +20,8 @@ on: - .github/workflows/build_krb5.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -27,6 +29,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: krb5 sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_nifi.yaml b/.github/workflows/build_nifi.yaml index 7aa6dc4a1..a817492ac 100644 --- a/.github/workflows/build_nifi.yaml +++ b/.github/workflows/build_nifi.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: "0 0 1/2 * *" # https://crontab.guru/#0_0_1/2_*_* + - cron: 0 0 1/2 * * # https://crontab.guru/#0_0_1/2_*_* push: branches: [main] tags: @@ -24,6 +24,8 @@ on: - .github/workflows/build_nifi.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -31,6 +33,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: nifi sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_omid.yaml b/.github/workflows/build_omid.yaml index a75561d07..aec935d9b 100644 --- a/.github/workflows/build_omid.yaml +++ b/.github/workflows/build_omid.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 1 1/2 * *' # https://crontab.guru/#0_1_1/2_*_* + - cron: 0 1 1/2 * * # https://crontab.guru/#0_1_1/2_*_* push: branches: [main] tags: @@ -24,6 +24,8 @@ on: - .github/workflows/build_omid.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -31,6 +33,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: omid sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_opa.yaml b/.github/workflows/build_opa.yaml index 54400f5fa..74543102c 100644 --- a/.github/workflows/build_opa.yaml +++ b/.github/workflows/build_opa.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 2 1/2 * *' # https://crontab.guru/#0_2_1/2_*_* + - cron: 0 2 1/2 * * # https://crontab.guru/#0_2_1/2_*_* push: branches: [main] tags: @@ -22,6 +22,8 @@ on: - .github/workflows/build_opa.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -29,6 +31,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: opa sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_opensearch.yaml b/.github/workflows/build_opensearch.yaml index 9aa5f220a..4269d1f1f 100644 --- a/.github/workflows/build_opensearch.yaml +++ b/.github/workflows/build_opensearch.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: "0 0 2/2 * *" # https://crontab.guru/#0_0_2/2_*_* + - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_* push: branches: [main] tags: @@ -25,6 +25,8 @@ on: - .github/workflows/build_opensearch.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -32,6 +34,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: opensearch sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_opensearch_dashboards.yaml b/.github/workflows/build_opensearch_dashboards.yaml index 7f014937d..d385f96ff 100644 --- a/.github/workflows/build_opensearch_dashboards.yaml +++ b/.github/workflows/build_opensearch_dashboards.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: "0 0 2/2 * *" # https://crontab.guru/#0_0_2/2_*_* + - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_* push: branches: [main] tags: @@ -23,6 +23,8 @@ on: - .github/workflows/build_opensearch_dashboards.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -30,6 +32,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: opensearch-dashboards sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_spark-connect-client.yaml b/.github/workflows/build_spark-connect-client.yaml index 91b822fdf..ce30660e0 100644 --- a/.github/workflows/build_spark-connect-client.yaml +++ b/.github/workflows/build_spark-connect-client.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: "0 0 2/2 * *" # https://crontab.guru/#0_0_2/2_*_* + - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_* push: branches: [main] tags: @@ -23,6 +23,8 @@ on: - .github/workflows/build_spark-connect-client.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -30,6 +32,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_STACKABLE_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: spark-connect-client sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_spark-k8s.yaml b/.github/workflows/build_spark-k8s.yaml index 5969ddd98..07f095414 100644 --- a/.github/workflows/build_spark-k8s.yaml +++ b/.github/workflows/build_spark-k8s.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: "0 0 2/2 * *" # https://crontab.guru/#0_0_2/2_*_* + - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_* push: branches: [main] tags: @@ -25,6 +25,8 @@ on: - .github/workflows/build_spark-k8s.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -32,6 +34,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: spark-k8s sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_stackable-base.yaml b/.github/workflows/build_stackable-base.yaml index ca7b359fb..f16a8cf3b 100644 --- a/.github/workflows/build_stackable-base.yaml +++ b/.github/workflows/build_stackable-base.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 1 2/2 * *' # https://crontab.guru/#0_1_2/2_*_* + - cron: 0 1 2/2 * * # https://crontab.guru/#0_1_2/2_*_* push: branches: [main] tags: @@ -21,6 +21,8 @@ on: - .github/workflows/build_stackable-base.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -28,6 +30,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: stackable-base sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_superset.yaml b/.github/workflows/build_superset.yaml index 740ea557e..e9ef07ba7 100644 --- a/.github/workflows/build_superset.yaml +++ b/.github/workflows/build_superset.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 2 2/2 * *' # https://crontab.guru/#0_2_2/2_*_* + - cron: 0 2 2/2 * * # https://crontab.guru/#0_2_2/2_*_* push: branches: [main] tags: @@ -22,6 +22,8 @@ on: - .github/workflows/build_superset.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -29,6 +31,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: superset sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_testing-tools.yaml b/.github/workflows/build_testing-tools.yaml index 4d61f828d..80071a2ca 100644 --- a/.github/workflows/build_testing-tools.yaml +++ b/.github/workflows/build_testing-tools.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 0 1/2 * *' # https://crontab.guru/#0_0_1/2_*_* + - cron: 0 0 1/2 * * # https://crontab.guru/#0_0_1/2_*_* push: branches: [main] tags: @@ -20,6 +20,8 @@ on: - .github/workflows/build_testing-tools.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow (${{ matrix.product-name }}) @@ -35,6 +37,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: ${{ matrix.product-name }} sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_tools.yaml b/.github/workflows/build_tools.yaml index 0487126bf..c3ebe89e9 100644 --- a/.github/workflows/build_tools.yaml +++ b/.github/workflows/build_tools.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 1 1/2 * *' # https://crontab.guru/#0_1_1/2_*_* + - cron: 0 1 1/2 * * # https://crontab.guru/#0_1_1/2_*_* push: branches: [main] tags: @@ -21,6 +21,8 @@ on: - .github/workflows/build_tools.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -28,6 +30,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: tools sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_trino-cli.yaml b/.github/workflows/build_trino-cli.yaml index 1c57783fa..c0bc70c84 100644 --- a/.github/workflows/build_trino-cli.yaml +++ b/.github/workflows/build_trino-cli.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 2 1/2 * *' # https://crontab.guru/#0_2_1/2_*_* + - cron: 0 2 1/2 * * # https://crontab.guru/#0_2_1/2_*_* push: branches: [main] tags: @@ -23,6 +23,8 @@ on: - .github/workflows/build_trino-cli.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -30,6 +32,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: trino-cli sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_trino.yaml b/.github/workflows/build_trino.yaml index 7c2300dad..c00bc619f 100644 --- a/.github/workflows/build_trino.yaml +++ b/.github/workflows/build_trino.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: "0 0 2/2 * *" # https://crontab.guru/#0_0_2/2_*_* + - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_* push: branches: [main] tags: @@ -24,6 +24,8 @@ on: - .github/workflows/build_trino.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -31,6 +33,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: trino sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_vector.yaml b/.github/workflows/build_vector.yaml index 363fc634b..b59e187db 100644 --- a/.github/workflows/build_vector.yaml +++ b/.github/workflows/build_vector.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 1 2/2 * *' # https://crontab.guru/#0_1_2/2_*_* + - cron: 0 1 2/2 * * # https://crontab.guru/#0_1_2/2_*_* push: branches: [main] tags: @@ -20,6 +20,8 @@ on: - .github/workflows/build_vector.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -27,6 +29,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: vector sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/build_zookeeper.yaml b/.github/workflows/build_zookeeper.yaml index ed2f129d6..356744cec 100644 --- a/.github/workflows/build_zookeeper.yaml +++ b/.github/workflows/build_zookeeper.yaml @@ -6,7 +6,7 @@ run-name: | on: workflow_dispatch: schedule: - - cron: '0 2 2/2 * *' # https://crontab.guru/#0_2_2/2_*_* + - cron: 0 2 2/2 * * # https://crontab.guru/#0_2_2/2_*_* push: branches: [main] tags: @@ -24,6 +24,8 @@ on: - .github/workflows/build_zookeeper.yaml - .github/workflows/reusable_build_image.yaml +permissions: {} + jobs: build_image: name: Reusable Workflow @@ -31,6 +33,9 @@ jobs: secrets: harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }} slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }} + permissions: + id-token: write + contents: read with: product-name: zookeeper sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }} diff --git a/.github/workflows/mirror.yaml b/.github/workflows/mirror.yaml index f3a282235..c2a340812 100644 --- a/.github/workflows/mirror.yaml +++ b/.github/workflows/mirror.yaml @@ -21,6 +21,8 @@ on: type: string required: true +permissions: {} + jobs: mirror-image: # even though we are dealing with multi-arch images, we can do all @@ -29,6 +31,7 @@ jobs: runs-on: ubuntu-latest permissions: id-token: write + contents: read strategy: fail-fast: false matrix: @@ -71,6 +74,7 @@ jobs: needs: [mirror-image] permissions: id-token: write + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/pr_pre-commit.yaml b/.github/workflows/pr_pre-commit.yaml index a3b18933f..32ae7069f 100644 --- a/.github/workflows/pr_pre-commit.yaml +++ b/.github/workflows/pr_pre-commit.yaml @@ -4,6 +4,9 @@ name: pre-commit on: pull_request: +permissions: + contents: read + env: # Keep in sync with across other repos like operator-rs and operator-templating RUST_TOOLCHAIN_VERSION: "nightly-2025-10-23" @@ -18,6 +21,7 @@ jobs: with: persist-credentials: false fetch-depth: 0 + - uses: stackabletech/actions/run-pre-commit@7fb064db885e006f6a9eeff69c7cd5ff5dea68bc # v0.13.0 with: python-version: ${{ env.PYTHON_VERSION }} diff --git a/.github/workflows/pr_test_build_images.yaml b/.github/workflows/pr_test_build_images.yaml index 367de3cb5..105afbae1 100644 --- a/.github/workflows/pr_test_build_images.yaml +++ b/.github/workflows/pr_test_build_images.yaml @@ -4,10 +4,12 @@ name: Test Build Images on: workflow_dispatch: pull_request: - branches: [main, 'release/*'] + branches: [main, "release/*"] # For now, we run on all paths, but if the products could be moved into a subdirectory, we could match on that # paths: [] +permissions: {} + jobs: dummy: runs-on: ubuntu-latest diff --git a/.github/workflows/preflight.yaml b/.github/workflows/preflight.yaml index 5695cf893..45e79256e 100644 --- a/.github/workflows/preflight.yaml +++ b/.github/workflows/preflight.yaml @@ -12,7 +12,7 @@ # # As you can imagine, retagging this repository just to force a new round # of possibly unsuccessful checks was not very productive. -# +# TODO: Replace most this with the preflight action --- name: Preflight checks run-name: | @@ -41,6 +41,9 @@ on: required: true default: "sdp" type: string + +permissions: {} + jobs: preflight: name: ${{ matrix.product }} preflight checks @@ -73,20 +76,26 @@ jobs: - trino - tools - zookeeper + permissions: + contents: read env: GITHUB_REF_NAME: ${{ github.ref_name }} steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: "3.x" + - run: pip install image-tools-stackabletech==0.0.16 + - name: Install preflight run: | wget https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.10.0/preflight-linux-amd64 chmod +x preflight-linux-amd64 + - name: Submit preflight checks if: ${{ inputs.submit == true }} env: diff --git a/.github/workflows/reusable_build_image.yaml b/.github/workflows/reusable_build_image.yaml index 4927a61a1..f2bccb4a1 100644 --- a/.github/workflows/reusable_build_image.yaml +++ b/.github/workflows/reusable_build_image.yaml @@ -1,3 +1,4 @@ +--- on: workflow_call: inputs: @@ -25,14 +26,19 @@ on: description: The Slack token used to post failure notifications required: true +permissions: {} + jobs: generate_runner_dimension: name: Generate Runner Dimension runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false + - id: runners shell: bash env: @@ -54,10 +60,13 @@ jobs: generate_version_dimension: name: Generate Version Dimension runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false + - id: shard uses: stackabletech/actions/shard@7fb064db885e006f6a9eeff69c7cd5ff5dea68bc # v0.13.0 with: @@ -72,6 +81,7 @@ jobs: - generate_runner_dimension permissions: id-token: write + contents: read runs-on: ${{ matrix.runner.name }} strategy: fail-fast: false @@ -111,6 +121,7 @@ jobs: needs: [generate_version_dimension, build] permissions: id-token: write + contents: read runs-on: ubuntu-latest strategy: fail-fast: false diff --git a/.github/workflows/ubi-rust-builder.yml b/.github/workflows/ubi-rust-builder.yml index 89af5897e..038aab181 100644 --- a/.github/workflows/ubi-rust-builder.yml +++ b/.github/workflows/ubi-rust-builder.yml @@ -14,19 +14,26 @@ on: - .github/workflows/ubi-rust-builder.yml - .github/workflows/reusable_build_image.yaml schedule: - - cron: "30 4 * * *" + - cron: 30 4 * * * workflow_dispatch: +permissions: {} + jobs: build: permissions: id-token: write + contents: read runs-on: ${{ matrix.runner }} strategy: fail-fast: false matrix: - runner: ["ubuntu-latest", "ubicloud-standard-8-arm-ubuntu-2404"] - ubi-version: ["ubi9", "ubi10"] + runner: + - ubuntu-latest + - ubicloud-standard-8-arm-ubuntu-2404 + ubi-version: + - ubi9 + - ubi10 steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: @@ -68,14 +75,17 @@ jobs: publish_manifests: name: Build/Publish Image Index Manifest - needs: ["build"] + needs: [build] permissions: id-token: write + contents: read runs-on: ubuntu-latest strategy: fail-fast: false matrix: - ubi-version: ["ubi9", "ubi10"] + ubi-version: + - ubi9 + - ubi10 steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 0706f07eb..14f284133 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -52,6 +52,12 @@ repos: hooks: - id: hadolint + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: 7fc963270df722f37707d47ff41265fe8f460822 # v1.20.0 + hooks: + - id: zizmor + args: ["--no-progress", "--min-confidence", "medium"] + - repo: local hooks: - id: update-readme-badges