[bitnami/charts] Revisit worflow permissions (#17028)

* [bitnami/charts] Revisit worflow permissions

Signed-off-by: Fran Mulero <fmulero@vmware.com>

* Revisit permissions

Signed-off-by: Fran Mulero <fmulero@vmware.com>

* Fix triage permissions

Signed-off-by: Fran Mulero <fmulero@vmware.com>

---------

Signed-off-by: Fran Mulero <fmulero@vmware.com>
This commit is contained in:
Fran Mulero
2023-06-06 15:46:42 +02:00
committed by GitHub
parent 496c371056
commit ddb8c20577
15 changed files with 81 additions and 45 deletions

View File

@@ -3,9 +3,8 @@ on:
pull_request_target:
types:
- opened
permissions:
# Remove all permissions by default
contents: none
# Remove all permissions by default
permissions: {}
jobs:
assign-label:
name: Assign label

View File

@@ -116,6 +116,8 @@ on: # rebuild any PRs and main branch changes
- 'bitnami/wordpress-intel/**'
- 'bitnami/zookeeper/**'
- '!**.md'
# Remove all permissions by default.
permissions: {}
env:
CSP_API_URL: https://console.cloud.vmware.com
CSP_API_TOKEN: ${{ secrets.CSP_API_TOKEN }}
@@ -124,6 +126,8 @@ jobs:
get-chart:
runs-on: ubuntu-latest
name: 'Get modified charts'
permissions:
contents: read
outputs:
chart: ${{ steps.get-chart.outputs.chart }}
result: ${{ steps.get-chart.outputs.result }}
@@ -171,6 +175,8 @@ jobs:
needs: get-chart
if: ${{ needs.get-chart.outputs.result == 'ok' }}
name: VIB Publish
permissions:
contents: read
steps:
- uses: actions/checkout@v3
name: Checkout Repository

View File

@@ -9,9 +9,8 @@ on: # rebuild any PRs and main branch changes
branches:
- main
- bitnami:main
permissions:
issues: write
pull-requests: write
# Remove all permissions by default
permissions: {}
env:
CSP_API_URL: https://console.cloud.vmware.com
CSP_API_TOKEN: ${{ secrets.CSP_API_TESTING_TOKEN }}
@@ -23,6 +22,8 @@ jobs:
get-chart:
runs-on: ubuntu-latest
name: Get modified charts
permissions:
contents: read
if: ${{ github.event.pull_request.state != 'closed' }}
outputs:
chart: ${{ steps.get-chart.outputs.chart }}
@@ -86,6 +87,8 @@ jobs:
vib-verify:
runs-on: ubuntu-latest
needs: get-chart
permissions:
contents: read
# Given performance issues of the action feature on GH's side, we need to be very restrictive in the job's triggers:
# -> The 'Get modified charts' job suceededs AND
# ( ---> The pipeline was triggered due to a label addition and said label was the 'verify' one OR
@@ -135,6 +138,8 @@ jobs:
runs-on: ubuntu-latest
needs: vib-verify
name: Reviewal for automated PRs
permissions:
pull-requests: write
# Job to be run only when the triage for automated PRs did as well,
# not taking into account whether 'VIB Verify' succeeded
if: |

View File

@@ -3,9 +3,8 @@ on:
schedule:
# Hourly
- cron: '0 * * * *'
permissions:
issues: write
pull-requests: write
# Remove all permissions by default. Actions are performed by Bitnami Bot
permissions: {}
jobs:
stale:
runs-on: ubuntu-latest

View File

@@ -3,17 +3,19 @@ on:
issue_comment:
types:
- created
permissions:
contents: read
repository-projects: write
issues: read
pull-requests: read
# Remove all permissions by default
permissions: {}
# Avoid concurrency over the same issue
concurrency:
group: card-movement-${{ github.event.issue.number }}
jobs:
comments_handler:
runs-on: ubuntu-latest
permissions:
contents: read
repository-projects: write
issues: read
pull-requests: read
steps:
- name: Repo checkout
uses: actions/checkout@v3

View File

@@ -4,11 +4,14 @@ on:
schedule:
# Every 2 hours
- cron: '15 0/2 * * *'
permissions:
repository-projects: write
# Remove all permissions by default
permissions: {}
jobs:
delete-cards:
runs-on: ubuntu-latest
permissions:
repository-projects: write
contents: read
steps:
- name: Repo checkout
uses: actions/checkout@v3

View File

@@ -6,11 +6,13 @@ on:
- main
paths:
- 'bitnami/*/values.yaml'
permissions:
contents: write
# Remove all permissions by default
permissions: {}
jobs:
update-readme-metadata:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Install readme-generator-for-helm
run: npm install -g @bitnami/readme-generator-for-helm

View File

@@ -5,11 +5,13 @@ on:
- main
paths:
- '**.md'
permissions:
contents: read
# Remove all permissions by default
permissions: {}
jobs:
markdown-linter:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Install mardownlint
run: npm install -g markdownlint-cli@0.33.0

View File

@@ -6,8 +6,8 @@ on:
pull_request_target:
types:
- closed
permissions:
repository-projects: write
# Remove all permissions by default. Actions are performed by Bitnami Bot
permissions: {}
# Avoid concurrency over the same issue
concurrency:
group: card-movement-${{ github.event_name != 'issues' && github.event.number || github.event.issue.number }}

View File

@@ -5,14 +5,15 @@ on:
types:
- created
- moved
permissions:
contents: read
issues: write
pull-requests: write
# Remove all permissions by default
permissions: {}
jobs:
get-issue:
runs-on: ubuntu-latest
name: Get issue info
permissions:
issues: read
pull-requests: read
outputs:
assignees: ${{ steps.get-issue-step.outputs.assignees }}
author: ${{ steps.get-issue-step.outputs.author }}
@@ -40,6 +41,10 @@ jobs:
echo "number=${number}" >> $GITHUB_OUTPUT
label-card:
runs-on: ubuntu-latest
permissions:
contents: read
issues: write
pull-requests: write
needs:
- get-issue
steps:
@@ -108,6 +113,8 @@ jobs:
remove-labels: in-progress, on-hold
assign-assignee-if-needed:
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- get-issue
# The job shouldn't run for solved cards

View File

@@ -3,7 +3,8 @@ on:
schedule:
- cron: '0 7 * * *'
workflow_dispatch:
# Remove all permissions by default
permissions: {}
env:
BAC_SRP_ENDPOINT: https://apigw.vmware.com/v1/s1/api/helix-beta
BAC_SRP_CLIENT_ID: ${{ secrets.BAC_SRP_CLIENT_ID }}
@@ -12,6 +13,9 @@ env:
jobs:
report:
runs-on: ubuntu-latest
permissions:
actions: write
contents: read
steps:
- id: install-tool
name: Install and configure SRP Tool

View File

@@ -3,13 +3,15 @@ on:
workflow_dispatch:
schedule:
- cron: '0 1 * * *'
permissions:
issues: write
pull-requests: write
# Remove all permissions by default
permissions: {}
# This job won't trigger any additional event. All actions are performed with GITHUB_TOKEN
jobs:
stale:
runs-on: ubuntu-latest
permissions:
issues: write
pull-requests: write
steps:
# This step will add the stale comment and label for the first 15 days without activity. It won't close any task
- uses: actions/stale@v6.0.1

View File

@@ -3,12 +3,13 @@ on:
schedule:
# Daily
- cron: '0 3 * * *'
permissions:
issues: write
# Remove all permissions by default
permissions: {}
jobs:
sync-labels:
runs-on: ubuntu-latest
permissions:
issues: write
steps:
- uses: EndBug/label-sync@v2
with:

View File

@@ -3,9 +3,8 @@ on:
schedule:
# Daily
- cron: '0 5 * * *'
permissions:
# All write actions are executed with BITNAMI_BOT
contents: write
# Remove all permissions by default. Write actions are done by Bitnami Bot
permissions: {}
jobs:
sync-support-teams:
runs-on: ubuntu-latest

View File

@@ -9,11 +9,8 @@ on:
types:
- reopened
- opened
permissions:
# Please note that projects cards are created/moved with Bitnami Bot (that's reason to use pull_request_target)
contents: read
issues: write
pull-requests: write
# Remove all permissions by default
permissions: {}
# Avoid concurrency over the same issue
concurrency:
group: card-movement-${{ github.event_name != 'issues' && github.event.number || github.event.issue.number }}
@@ -22,6 +19,9 @@ jobs:
send_to_board:
name: Organize triage
runs-on: ubuntu-latest
# Please note that projects cards are created/moved with Bitnami Bot
permissions:
contents: read
steps:
- name: Repo checkout
uses: actions/checkout@v3
@@ -49,15 +49,20 @@ jobs:
column-name: ${{ (contains(fromJson(env.BITNAMI_TEAM), steps.get-issue.outputs.author)) && 'From Bitnami' || 'Triage' }}
token: "${{ secrets.BITNAMI_BOT_TOKEN }}"
issue-number: ${{ steps.get-issue.outputs.number }}
# The project API is not efficient and requires several requests to create the project card. For that reason we decided to create
# a card for the automated PRs only when it is needed.
labeling:
name: Set labels for Automated PRs
runs-on: ubuntu-latest
permissions:
pull-requests: write
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'bitnami_bot' }}
# The project API is not efficient and requires several requests to create the project card. For that reason we decided to create
# a card for the automated PRs only when it is needed.
steps:
- name: From Bitnami labeling
if: ${{steps.get-issue.outputs.author == 'bitnami-bot' && steps.get-issue.outputs.type == 'pull_request'}}
uses: fmulero/labeler@1.1.0
with:
add-labels: 'automated, auto-merge'
- name: Verify labeling
if: ${{steps.get-issue.outputs.author == 'bitnami-bot' && steps.get-issue.outputs.type == 'pull_request'}}
uses: fmulero/labeler@1.1.0
with:
# Bitnami bot token is required to trigger CI workflows