Skip to content

Fix security issues in workflows #1977

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 14 commits into from
May 29, 2025
Merged

Fix security issues in workflows #1977

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
d9e7264
Fix
ZePan110 May 20, 2025
51b9d3b
Update .github/workflows/pr-code-scan.yml
ZePan110 May 20, 2025
2f9959f
test
ZePan110 May 21, 2025
b980d6a
Fix issue
ZePan110 May 21, 2025
c8259d4
Revert "test"
ZePan110 May 21, 2025
52a6b22
test
ZePan110 May 21, 2025
4030a43
Fix
ZePan110 May 23, 2025
a5b074f
Fix
ZePan110 May 28, 2025
027e3c1
Fix
ZePan110 May 28, 2025
ab9e9fb
test
ZePan110 May 29, 2025
634a5ea
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] May 29, 2025
1383f86
Remove test code for manual-freeze-tag.yml
ZePan110 May 29, 2025
23cbe3e
Fix manual-example-workflow.yml
ZePan110 May 29, 2025
174ecde
Merge branch 'main' into Fix-sec
ZePan110 May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/_gmc-e2e.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,8 @@

# This workflow will only test GMC pipeline and will not install GMC any more
name: Single GMC E2e Test For CD Workflow Call

permissions:
contents: read
on:
workflow_call:
inputs:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/_gmc-workflow.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Build and deploy GMC system on call and manual

permissions:
contents: read
on:
workflow_dispatch:
inputs:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/dockerhub-description.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Update Docker Hub Description
permissions:
contents: read
on:
schedule:
- cron: "0 0 * * 0"
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/manual-docker-clean.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Clean up container on manual event
permissions:
contents: read
on:
workflow_dispatch:
inputs:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/manual-freeze-tag.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Freeze OPEA images release tag

permissions:
contents: read
on:
workflow_dispatch:
inputs:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/manual-image-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Build specific images on manual event
permissions:
contents: read
on:
workflow_dispatch:
inputs:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/manual-reset-local-registry.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Clean up Local Registry on manual event
permissions:
contents: read
on:
workflow_dispatch:
inputs:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/mix-trellix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Trellix Command Line Scanner

permissions:
contents: read
on:
workflow_dispatch:
schedule:
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/nightly-docker-build-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Nightly build/publish latest docker images

permissions:
contents: read
on:
schedule:
- cron: "30 14 * * 1-5" # UTC time
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/pr-chart-e2e.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: E2E Test with Helm Charts

permissions:
contents: read
on:
pull_request_target:
branches: [main]
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/pr-check-duplicated-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Check Duplicated Images

permissions:
contents: read
on:
pull_request:
branches: [main]
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/pr-code-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Code Scan

permissions:
contents: read
on:
pull_request:
branches: [main]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pr-docker-compose-e2e.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@

name: E2E test with docker compose

permissions:
contents: read

on:
pull_request_target:
branches: ["main", "*rc"]
Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# SPDX-License-Identifier: Apache-2.0

name: Compose file and dockerfile path checking

permissions:
contents: read
on:
pull_request:
branches: [main]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/pr-link-path-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@

name: Check hyperlinks and relative path validity

permissions:
contents: read

on:
pull_request:
branches: [main]
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/push-image-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@
# Test
name: Build latest images on push event

permissions:
contents: read

on:
push:
branches: [ 'main' ]
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/push-images-path-detection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,12 @@

name: Check the validity of links in docker_images_list.

permissions:
contents: read

on:
push:
branches: [main]
types: [opened, reopened, ready_for_review, synchronize]

jobs:
check-dockerfile-paths:
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/push-infra-issue-creation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
- "**/docker_compose/**/compose*.yaml"

name: Create an issue to GenAIInfra on push

permissions:
contents: read

jobs:
job1:
name: Create issue
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/weekly-example-test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@

name: Weekly test all examples on multiple HWs

permissions:
contents: read

on:
schedule:
- cron: "30 2 * * 6" # UTC time
Expand Down