opea-project · chensuyue · May 29, 2025 · May 20, 2025 · May 20, 2025 · May 21, 2025
@@ -2,7 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build Comps Base Image
-permissions: read-all
+
+permissions:
+  attestations: read
+  models: read
+  security-events: read
+
 on:
   workflow_call:
     inputs:

@@ -2,7 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build Images
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_call:
     inputs:

@@ -2,7 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Example jobs
-permissions: read-all
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_call:
     inputs:

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Get Image List
-permissions: read-all
+permissions:
+  contents: read
 on:
   workflow_call:
     inputs:

@@ -3,7 +3,8 @@
 
 # This workflow will only test GMC pipeline and will not install GMC any more
 name: Single GMC E2e Test For CD Workflow Call
-
+permissions:
+  contents: read
 on:
   workflow_call:
     inputs:

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build and deploy GMC system on call and manual
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Update Docker Hub Description
+permissions:
+  contents: read
 on:
   schedule:
     - cron: "0 0 * * 0"

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up container on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

@@ -2,6 +2,24 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Examples CD workflow on manual event
+
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
+
 on:
   workflow_dispatch:
     inputs:
@@ -51,7 +69,6 @@ on:
         required: false
         type: boolean
 
-permissions: read-all
 jobs:
   get-test-matrix:
     runs-on: ubuntu-latest

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Freeze OPEA images release tag
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

@@ -2,6 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build specific images on manual event
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_dispatch:
     inputs:

@@ -2,6 +2,22 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up Local Registry on manual event
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
 on:
   workflow_dispatch:
     inputs:

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Trellix Command Line Scanner
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
   schedule:

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Nightly build/publish latest docker images
+permissions:
+  security-events: read
 
 on:
   schedule:
@@ -33,12 +35,32 @@ jobs:
           echo "PUBLISH_TAGS=$PUBLISH_TAGS" >> $GITHUB_OUTPUT
 
   build-comps-base:
+    permissions:
+      attestations: read
+      models: read
+      security-events: read
     needs: [get-build-matrix]
     uses: ./.github/workflows/_build_comps_base_image.yml
     with:
       node: gaudi
 
   build-images:
+    permissions:
+      actions: read
+      contents: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      id-token: write
+      attestations: read
+      models: read
     needs: [get-build-matrix, build-comps-base]
     strategy:
       matrix:
@@ -53,6 +75,22 @@ jobs:
 
   test-example:
     needs: [get-build-matrix]
+    permissions:
+      actions: read
+      contents: read
+      checks: read
+      deployments: read
+      discussions: read
+      issues: read
+      packages: read
+      pages: read
+      pull-requests: read
+      repository-projects: read
+      statuses: read
+      security-events: read
+      id-token: write
+      attestations: read
+      models: read
     if: ${{ needs.get-build-matrix.outputs.examples_json != '' }}
     strategy:
       matrix:
@@ -69,6 +107,8 @@ jobs:
 
   get-image-list:
     needs: [get-build-matrix]
+    permissions:
+      contents: read
     uses: ./.github/workflows/_get-image-list.yml
     with:
       examples: ${{ needs.get-build-matrix.outputs.EXAMPLES }}

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: E2E Test with Helm Charts
-
+permissions:
+  contents: read
 on:
   pull_request_target:
     branches: [main]

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Check Duplicated Images
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]

@@ -2,7 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Code Scan
-
+permissions:
+  contents: read
+  security-events: write
 on:
   pull_request:
     branches: [main]

@@ -3,6 +3,9 @@
 
 name: E2E test with docker compose
 
+permissions:
+  contents: read
+
 on:
   pull_request_target:
     branches: ["main", "*rc"]

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Compose file and dockerfile path checking
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]

@@ -3,6 +3,9 @@
 
 name: Check hyperlinks and relative path validity
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]

@@ -3,6 +3,23 @@
 # Test
 name: Build latest images on push event
 
+permissions:
+  actions: read
+  contents: read
+  checks: read
+  deployments: read
+  discussions: read
+  issues: read
+  packages: read
+  pages: read
+  pull-requests: read
+  repository-projects: read
+  statuses: read
+  security-events: read
+  id-token: write
+  attestations: read
+  models: read
+
 on:
   push:
     branches: [ 'main' ]

@@ -3,10 +3,12 @@
 
 name: Check the validity of links in docker_images_list.
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
-    types: [opened, reopened, ready_for_review, synchronize]
 
 jobs:
   check-dockerfile-paths:

@@ -8,6 +8,10 @@ on:
       - "**/docker_compose/**/compose*.yaml"
 
 name: Create an issue to GenAIInfra on push
+
+permissions:
+  contents: read
+
 jobs:
   job1:
     name: Create issue