test

Signed-off-by: ZePan110 <[email protected]>

Author: ZePan110

.github/workflows/_build_image.yml

@@ -2,7 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build Images
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_call:
     inputs:

.github/workflows/_example-workflow.yml

@@ -3,21 +3,21 @@
 
 name: Example jobs
 permissions:
-  contents: read
-  id-token: write
   actions: read
-  attestations: read
+  contents: read
   checks: read
   deployments: read
   discussions: read
   issues: read
-  models: read
   packages: read
   pages: read
   pull-requests: read
   repository-projects: read
   statuses: read
   security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_call:
     inputs:

.github/workflows/_get-image-list.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Get Image List
-permissions: read-all
+permissions: 
+  contents: read
 on:
   workflow_call:
     inputs:

.github/workflows/manual-reset-local-registry.yml

@@ -3,7 +3,21 @@
 
 name: Clean up Local Registry on manual event
 permissions:
+  actions: read
   contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/nightly-docker-build-publish.yml

@@ -3,14 +3,15 @@
 
 name: Nightly build/publish latest docker images
 permissions:
-  contents: read
+  security-events: read
+  
 on:
   schedule:
     - cron: "30 14 * * 1-5" # UTC time
   workflow_dispatch:
 
 env:
-  EXAMPLES: ${{ vars.NIGHTLY_RELEASE_EXAMPLES }}
+  EXAMPLES: "DBQnA" #${{ vars.NIGHTLY_RELEASE_EXAMPLES }}
   TAG: "latest"
   PUBLISH_TAGS: "latest"
 
@@ -34,12 +35,32 @@ jobs:
           echo "PUBLISH_TAGS=$PUBLISH_TAGS" >> $GITHUB_OUTPUT
 
   build-comps-base:
+    permissions:
+      attestations: read
+      models: read
+      security-events: read
     needs: [get-build-matrix]
     uses: ./.github/workflows/_build_comps_base_image.yml
     with:
       node: gaudi
 
   build-images:
+    permissions:
+      actions: read
+      contents: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      id-token: write
+      attestations: read
+      models: read
     needs: [get-build-matrix, build-comps-base]
     strategy:
       matrix:
@@ -54,6 +75,22 @@ jobs:
 
   test-example:
     needs: [get-build-matrix]
+    permissions:
+      actions: read
+      contents: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      id-token: write
+      attestations: read
+      models: read
     if: ${{ needs.get-build-matrix.outputs.examples_json != '' }}
     strategy:
       matrix:
@@ -70,6 +107,8 @@ jobs:
 
   get-image-list:
     needs: [get-build-matrix]
+    permissions:
+      contents: read
     uses: ./.github/workflows/_get-image-list.yml
     with:
       examples: ${{ needs.get-build-matrix.outputs.EXAMPLES }}

.github/workflows/push-image-build.yml

@@ -4,7 +4,21 @@
 name: Build latest images on push event
 
 permissions:
+  actions: read
   contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 
 on:
   push: