From 5ab9c6bdd8e470e33c92418572476d4554db3c84 Mon Sep 17 00:00:00 2001 From: Ryan Cooke Date: Fri, 29 Nov 2024 15:28:21 +0000 Subject: [PATCH 1/3] Explicitly set GITHUB_TOKEN permissions for yocto workflow Changelog-entry: Explicitly set GITHUB_TOKEN permissions for yocto workflow Signed-off-by: Ryan Cooke --- .github/workflows/beaglebone-ai64.yml | 6 ++++++ .github/workflows/beaglebone-green-gateway.yml | 6 ++++++ .github/workflows/beaglebone-green-wifi.yml | 6 ++++++ .github/workflows/beaglebone-green.yml | 6 ++++++ .github/workflows/beaglebone-pocket.yml | 6 ++++++ .github/workflows/beaglebone.yml | 6 ++++++ .github/workflows/beagleplay.yml | 6 ++++++ 7 files changed, 42 insertions(+) diff --git a/.github/workflows/beaglebone-ai64.yml b/.github/workflows/beaglebone-ai64.yml index 7f1bd3ff..ed3f0f74 100644 --- a/.github/workflows/beaglebone-ai64.yml +++ b/.github/workflows/beaglebone-ai64.yml @@ -31,6 +31,12 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/beaglebone-green-gateway.yml b/.github/workflows/beaglebone-green-gateway.yml index 0d733cae..3b24f91e 100644 --- a/.github/workflows/beaglebone-green-gateway.yml +++ b/.github/workflows/beaglebone-green-gateway.yml @@ -31,6 +31,12 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/beaglebone-green-wifi.yml b/.github/workflows/beaglebone-green-wifi.yml index 8bb752dc..67eb27ed 100644 --- a/.github/workflows/beaglebone-green-wifi.yml +++ b/.github/workflows/beaglebone-green-wifi.yml @@ -31,6 +31,12 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/beaglebone-green.yml b/.github/workflows/beaglebone-green.yml index 8fce7dac..3c0c4a09 100644 --- a/.github/workflows/beaglebone-green.yml +++ b/.github/workflows/beaglebone-green.yml @@ -31,6 +31,12 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/beaglebone-pocket.yml b/.github/workflows/beaglebone-pocket.yml index 7f962b1f..39166f50 100644 --- a/.github/workflows/beaglebone-pocket.yml +++ b/.github/workflows/beaglebone-pocket.yml @@ -31,6 +31,12 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/beaglebone.yml b/.github/workflows/beaglebone.yml index cdc26b80..8522b47b 100644 --- a/.github/workflows/beaglebone.yml +++ b/.github/workflows/beaglebone.yml @@ -31,6 +31,12 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: diff --git a/.github/workflows/beagleplay.yml b/.github/workflows/beagleplay.yml index a16f536b..640516ca 100644 --- a/.github/workflows/beagleplay.yml +++ b/.github/workflows/beagleplay.yml @@ -31,6 +31,12 @@ on: type: string default: balena-staging.com +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read jobs: yocto: From 05c08f1b2aa72e1d0342a1ef53fb133d2ca9b0c8 Mon Sep 17 00:00:00 2001 From: Ryan Cooke Date: Fri, 29 Nov 2024 15:29:03 +0000 Subject: [PATCH 2/3] Pin yocto-scripts workflow to master --- .github/workflows/beaglebone-ai64.yml | 2 +- .github/workflows/beaglebone-green-gateway.yml | 2 +- .github/workflows/beaglebone-green-wifi.yml | 2 +- .github/workflows/beaglebone-green.yml | 2 +- .github/workflows/beaglebone-pocket.yml | 2 +- .github/workflows/beaglebone.yml | 2 +- .github/workflows/beagleplay.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/beaglebone-ai64.yml b/.github/workflows/beaglebone-ai64.yml index ed3f0f74..3ac3ace6 100644 --- a/.github/workflows/beaglebone-ai64.yml +++ b/.github/workflows/beaglebone-ai64.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@v1.25.47 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone-green-gateway.yml b/.github/workflows/beaglebone-green-gateway.yml index 3b24f91e..041a66dc 100644 --- a/.github/workflows/beaglebone-green-gateway.yml +++ b/.github/workflows/beaglebone-green-gateway.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@v1.25.47 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone-green-wifi.yml b/.github/workflows/beaglebone-green-wifi.yml index 67eb27ed..751890a6 100644 --- a/.github/workflows/beaglebone-green-wifi.yml +++ b/.github/workflows/beaglebone-green-wifi.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@v1.25.47 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone-green.yml b/.github/workflows/beaglebone-green.yml index 3c0c4a09..6a778023 100644 --- a/.github/workflows/beaglebone-green.yml +++ b/.github/workflows/beaglebone-green.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@v1.25.47 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone-pocket.yml b/.github/workflows/beaglebone-pocket.yml index 39166f50..4753b9d9 100644 --- a/.github/workflows/beaglebone-pocket.yml +++ b/.github/workflows/beaglebone-pocket.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@v1.25.47 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone.yml b/.github/workflows/beaglebone.yml index 8522b47b..6ccfd67e 100644 --- a/.github/workflows/beaglebone.yml +++ b/.github/workflows/beaglebone.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@v1.25.47 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beagleplay.yml b/.github/workflows/beagleplay.yml index 640516ca..e59e9644 100644 --- a/.github/workflows/beagleplay.yml +++ b/.github/workflows/beagleplay.yml @@ -41,7 +41,7 @@ permissions: jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@v1.25.47 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while From 07224b7dfcf0a174e62f3bb1e7ab6fc40d586e58 Mon Sep 17 00:00:00 2001 From: Ryan Cooke Date: Fri, 29 Nov 2024 15:30:15 +0000 Subject: [PATCH 3/3] re-enable PRT trigger --- .github/workflows/beaglebone-ai64.yml | 8 ++++---- .github/workflows/beaglebone-green-gateway.yml | 8 ++++---- .github/workflows/beaglebone-green-wifi.yml | 8 ++++---- .github/workflows/beaglebone-green.yml | 8 ++++---- .github/workflows/beaglebone-pocket.yml | 8 ++++---- .github/workflows/beaglebone.yml | 8 ++++---- .github/workflows/beagleplay.yml | 8 ++++---- 7 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/beaglebone-ai64.yml b/.github/workflows/beaglebone-ai64.yml index 3ac3ace6..56e5a999 100644 --- a/.github/workflows/beaglebone-ai64.yml +++ b/.github/workflows/beaglebone-ai64.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/beaglebone-green-gateway.yml b/.github/workflows/beaglebone-green-gateway.yml index 041a66dc..eb674cb5 100644 --- a/.github/workflows/beaglebone-green-gateway.yml +++ b/.github/workflows/beaglebone-green-gateway.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/beaglebone-green-wifi.yml b/.github/workflows/beaglebone-green-wifi.yml index 751890a6..6f5c4a0b 100644 --- a/.github/workflows/beaglebone-green-wifi.yml +++ b/.github/workflows/beaglebone-green-wifi.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/beaglebone-green.yml b/.github/workflows/beaglebone-green.yml index 6a778023..05bd6d5d 100644 --- a/.github/workflows/beaglebone-green.yml +++ b/.github/workflows/beaglebone-green.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/beaglebone-pocket.yml b/.github/workflows/beaglebone-pocket.yml index 4753b9d9..364cdaab 100644 --- a/.github/workflows/beaglebone-pocket.yml +++ b/.github/workflows/beaglebone-pocket.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/beaglebone.yml b/.github/workflows/beaglebone.yml index 6ccfd67e..cf0b5d48 100644 --- a/.github/workflows/beaglebone.yml +++ b/.github/workflows/beaglebone.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern - 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH) diff --git a/.github/workflows/beagleplay.yml b/.github/workflows/beagleplay.yml index e59e9644..01c4aaae 100644 --- a/.github/workflows/beagleplay.yml +++ b/.github/workflows/beagleplay.yml @@ -9,10 +9,10 @@ on: - master # ESR branches glob pattern #- 20[0-9][0-9].[0-1]?[1470].x - # pull_request_target: - # branches: - # - main - # - master + pull_request_target: + branches: + - main + - master push: tags: # Semver tags glob pattern (includes ESR in format v20YY.MM.PATCH)