update tokens

Signed-off-by: Jorge Turrado <[email protected]>
kedacore · Dec 15, 2024 · d8aaaf7 · d8aaaf7
1 parent a315f5e
commit d8aaaf7
Show file tree

Hide file tree

Showing 10 changed files with 37 additions and 0 deletions.
diff --git a/.github/workflows/auto-add-issues-to-project.yml b/.github/workflows/auto-add-issues-to-project.yml
@@ -3,6 +3,10 @@ on:
   issues:
     types:
       - opened
+
+permissions: 
+  contents: read
+
 jobs:
   track_issue:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -6,6 +6,9 @@ on:
   pull_request:
     branches: [main]
 
+permissions: 
+  contents: read
+
 env:
   fossa-key: 9e722f2c8904586d61f97f0bf05a99e4 # This is a public key only for pushing, it's safe here
 

diff --git a/.github/workflows/main-build.yml b/.github/workflows/main-build.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches:
       - main
+permissions: 
+  contents: read
+
 jobs:
   build:
     name: build

diff --git a/.github/workflows/nightly-e2e.yml b/.github/workflows/nightly-e2e.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions: 
+  contents: read
+
 jobs:
   validate:
     uses: kedacore/keda/.github/workflows/template-main-e2e-test.yml@main

diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -75,6 +75,9 @@ jobs:
         if: always()
 
   validate-dockerfiles:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     name: validate-dockerfiles - ${{ matrix.name }}
     runs-on: ${{ matrix.runner }}
     container: ghcr.io/kedacore/keda-tools:1.23.3
@@ -106,6 +109,9 @@ jobs:
         run: make docker-build
 
   validate-dev-container:
+    permissions:
+      contents: read  # for dorny/paths-filter to fetch a list of changed files
+      pull-requests: read  # for dorny/paths-filter to read pull requests
     name: Validate dev-container - ${{ matrix.name }}
     runs-on: ${{ matrix.runner }}
     container: ghcr.io/kedacore/keda-tools:1.23.3

diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -3,6 +3,10 @@ on:
   push:
     tags:
       - "v*"
+
+permissions:  
+  contents: read
+
 jobs:
   build:
     name: Push Release

diff --git a/.github/workflows/static-analysis-codeql.yml b/.github/workflows/static-analysis-codeql.yml
@@ -5,6 +5,9 @@ on:
     branches: ["main"]
   pull_request: {}
 
+permissions:  # added using https://github.com/step-security/secure-repo
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true

diff --git a/.github/workflows/template-smoke-tests.yml b/.github/workflows/template-smoke-tests.yml
@@ -12,6 +12,10 @@ on:
       kindImage:
         required: true
         type: string
+
+permissions:  
+  contents: read
+
 jobs:
   smoke-tests:
     name: Validate k8s-${{ inputs.kubernetesVersion }}

diff --git a/.github/workflows/template-trivy-scan.yml b/.github/workflows/template-trivy-scan.yml
@@ -31,6 +31,9 @@ on:
         required: true
         type: boolean
 
+permissions:  
+  contents: read
+
 jobs:
   trivy-scan:
     name: Trivy - ${{ inputs.runs-on }} - ${{ inputs.scan-type }} ${{ inputs.image-ref }}

diff --git a/.github/workflows/v1-build.yml b/.github/workflows/v1-build.yml
@@ -3,6 +3,10 @@ on:
   push:
     branches:
       - v1
+
+permissions:  
+  contents: read
+
 jobs:
   validate:
     name: Validate
-Original file line number
+Diff line change
@@ Expand Up / @@ -3,6 +3,10 @@ on: @@
       push:
         tags:
           - "v*"
+    permissions:
+      contents: read
     jobs:
       build:
         name: Push Release
@@ Expand Down @@