Skip to content

Commit

Permalink
workflows: Add permissions. (#305)
Browse files Browse the repository at this point in the history 
Add permissions to the workflows across mu_devops. This includes the
workflows sync'd across repositories, and workflows used in mu_devops
itself.


With MU_BASECORE's Settings -> Code and automation -> Actions -> General
-> Workflow permissions set to "Read repository contents and packages
permissions" selected, I had no failures, with the following tested:

.github/workflows
- **AutoMerger.yml - Untested**
- FileSyncer.yml - Tested
- IssueAssignment.yml - Tested
- IssueTriager.yml - Tested
- LabelSyncer.yml - Tested
- Labeler.yml - Tested
- ReleaseDrafter.yml - Tested

.sync/workflows/leaf
- **auto-approve.yml - Untested**
- **auto-merge.yml - Untested**
- issue-assignment.yml - Tested through IssueAssignment.yml
- label-issues.yml - Tested through Labeler.yml
- label-sync.yml - Tested through LabelSyncer.yml
- pull-request-formatting-validator.yml - Tested Directly
- release-draft.yml - Tested through ReleaseDrafter.yml
- scheduled-maintenance.yml - Tested Directly
- stale.yml - Tested Directly
- **submodule-release-update.yml - Untested**
- triage-issues.yml - Tested
  • Loading branch information
@Javagedes
Javagedes authored Jan 31, 2024
1 parent 8975212 commit c5b1c90
Show file tree
Hide file tree
Showing 19 changed files with 82 additions and 1 deletion.
5 changes: 5 additions & 0 deletions .github/workflows/AutoMerger.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@ jobs:
name: Merge
runs-on: ubuntu-latest

permissions:
contents: read
pull-requests: write
issues: write

# The action cannot take multiple authors right now, so call with each author
# separately.
strategy:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/FileSyncer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@ jobs:
name: Repo File Sync
runs-on: ubuntu-latest

permissions:
contents: write
pull-requests: write
actions: write

steps:
- name: Checkout Repository
uses: actions/checkout@v4
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/IssueAssignment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ jobs:
adjust-labels:
name: Adjust Issue Labels
runs-on: ubuntu-latest

permissions:
contents: read
issues: write

steps:
- uses: actions/checkout@v4

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/IssueTriager.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,9 @@ jobs:
strategy:
matrix:
template: [ bug_report.yml, documentation_request.yml, feature_request.yml ]

permissions:
issues: write

steps:
- uses: actions/checkout@v4
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/LabelSyncer.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ jobs:
name: Sync
runs-on: ubuntu-latest

permissions:
issues: write

steps:
- name: Sync Labels
uses: EndBug/label-sync@v2
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/Labeler.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ jobs:
name: Label Based on Messages
runs-on: ubuntu-latest

permissions:
contents: read
pull-requests: write

steps:
- name: Apply Labels Based on PR File Paths
uses: actions/[email protected]
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/ReleaseDrafter.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,10 @@ jobs:
name: Update Release Draft
runs-on: ubuntu-latest

permissions:
contents: write
pull-requests: write

steps:
- name: Download Version Information
id: download_ver_info
Expand Down
2 changes: 1 addition & 1 deletion .sync/Version.njk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
#}

{# The git ref value that files dependent on this repo will use. #}
{% set mu_devops = "v9.0.1" %}
{% set mu_devops = "v9.1.1" %}

{# The latest Project Mu release branch value. #}
{% set latest_mu_release_branch = "release/202302" %}
Expand Down
4 changes: 4 additions & 0 deletions .sync/workflows/leaf/auto-approve.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ on:

jobs:
approval_check:

permissions:
pull-requests: write

if: |
github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'uefibot'
uses: microsoft/mu_devops/.github/workflows/AutoApprover.yml@{{ sync_version.mu_devops }}
Expand Down
6 changes: 6 additions & 0 deletions .sync/workflows/leaf/auto-merge.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,12 @@ on:

jobs:
merge_check:

permissions:
contents: read
pull-requests: write
issues: write

if: |
github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'uefibot'
uses: microsoft/mu_devops/.github/workflows/AutoMerger.yml@{{ sync_version.mu_devops }}
Expand Down
5 changes: 5 additions & 0 deletions .sync/workflows/leaf/issue-assignment.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,9 @@ on:

jobs:
apply:

permissions:
contents: read
issues: write

uses: microsoft/mu_devops/.github/workflows/IssueAssignment.yml@{{ sync_version.mu_devops }}
5 changes: 5 additions & 0 deletions .sync/workflows/leaf/label-issues.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,4 +33,9 @@ on:

jobs:
apply:

permissions:
contents: read
pull-requests: write

uses: microsoft/mu_devops/.github/workflows/Labeler.yml@{{ sync_version.mu_devops }}
4 changes: 4 additions & 0 deletions .sync/workflows/leaf/label-sync.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,8 @@ on:

jobs:
sync:

permissions:
issues: write

uses: microsoft/mu_devops/.github/workflows/LabelSyncer.yml@{{ sync_version.mu_devops }}
5 changes: 5 additions & 0 deletions .sync/workflows/leaf/pull-request-formatting-validator.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,11 @@ on:
jobs:
validate_pr:
runs-on: ubuntu-latest

permissions:
contents: read
pull-requests: write

steps:
- run: |
prTitle="$(gh api graphql -F owner=$OWNER -F name=$REPO -F pr_number=$PR_NUMBER -f query='
Expand Down
5 changes: 5 additions & 0 deletions .sync/workflows/leaf/release-draft.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,5 +29,10 @@ on:

jobs:
draft:

permissions:
contents: write
pull-requests: write

uses: microsoft/mu_devops/.github/workflows/ReleaseDrafter.yml@{{ sync_version.mu_devops }}
secrets: inherit
5 changes: 5 additions & 0 deletions .sync/workflows/leaf/scheduled-maintenance.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,11 @@ on:
jobs:
repo_cleanup:
runs-on: ubuntu-latest

permissions:
pull-requests: write
issues: write

steps:
- name: Get Repository Info
run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#*/}" >> $GITHUB_ENV
Expand Down
5 changes: 5 additions & 0 deletions .sync/workflows/leaf/stale.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,4 +26,9 @@ on:

jobs:
check:

permissions:
issues: write
pull-requests: write

uses: microsoft/mu_devops/.github/workflows/Stale.yml@{{ sync_version.mu_devops }}
4 changes: 4 additions & 0 deletions .sync/workflows/leaf/submodule-release-update.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ jobs:
name: Check for Submodule Releases
runs-on: ubuntu-latest

permissions:
contents: write
pull-requests: write

steps:
- name: Update Submodules to Latest Release
uses: microsoft/mu_devops/.github/actions/submodule-release-updater@{{ sync_version.mu_devops }}
Expand Down
4 changes: 4 additions & 0 deletions .sync/workflows/leaf/triage-issues.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,8 @@ on:

jobs:
triage:

permissions:
issues: write

uses: microsoft/mu_devops/.github/workflows/IssueTriager.yml@{{ sync_version.mu_devops }}

0 comments on commit c5b1c90

Please sign in to comment.