From 2da3c04143dd489298e63e2f3eabea58a903d964 Mon Sep 17 00:00:00 2001 From: Maxime David Date: Wed, 28 May 2025 12:41:06 +0100 Subject: [PATCH] fix: token permissions --- .github/workflows/publish-layer-collector.yml | 3 +++ .github/workflows/release-layer-collector.yml | 6 +++++- .github/workflows/release-layer-java.yml | 6 +++++- .github/workflows/release-layer-nodejs.yml | 6 +++++- .github/workflows/release-layer-python.yml | 6 +++++- .github/workflows/release-layer-ruby.yml | 6 +++++- 6 files changed, 28 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish-layer-collector.yml b/.github/workflows/publish-layer-collector.yml index 2b18d310a4..493e5051e2 100644 --- a/.github/workflows/publish-layer-collector.yml +++ b/.github/workflows/publish-layer-collector.yml @@ -48,6 +48,9 @@ on: required: false type: string +permissions: + contents: read + jobs: prepare-build-jobs: runs-on: ubuntu-latest diff --git a/.github/workflows/release-layer-collector.yml b/.github/workflows/release-layer-collector.yml index 32e64b6761..014a8a41bf 100644 --- a/.github/workflows/release-layer-collector.yml +++ b/.github/workflows/release-layer-collector.yml @@ -8,10 +8,12 @@ on: permissions: id-token: write - contents: write + contents: read jobs: create-release: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -20,6 +22,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: + permissions: + contents: write runs-on: ubuntu-latest needs: create-release strategy: diff --git a/.github/workflows/release-layer-java.yml b/.github/workflows/release-layer-java.yml index f6665642b1..4670ed24aa 100644 --- a/.github/workflows/release-layer-java.yml +++ b/.github/workflows/release-layer-java.yml @@ -8,10 +8,12 @@ on: permissions: id-token: write - contents: write + contents: read jobs: create-release: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -20,6 +22,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: + permissions: + contents: write runs-on: ubuntu-latest needs: create-release outputs: diff --git a/.github/workflows/release-layer-nodejs.yml b/.github/workflows/release-layer-nodejs.yml index 3df13dfa72..45c5e91f60 100644 --- a/.github/workflows/release-layer-nodejs.yml +++ b/.github/workflows/release-layer-nodejs.yml @@ -8,10 +8,12 @@ on: permissions: id-token: write - contents: write + contents: read jobs: create-release: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -20,6 +22,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: + permissions: + contents: write runs-on: ubuntu-latest needs: create-release outputs: diff --git a/.github/workflows/release-layer-python.yml b/.github/workflows/release-layer-python.yml index 00d939adc3..af036fb0c0 100644 --- a/.github/workflows/release-layer-python.yml +++ b/.github/workflows/release-layer-python.yml @@ -8,10 +8,12 @@ on: permissions: id-token: write - contents: write + contents: read jobs: create-release: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -20,6 +22,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: + permissions: + contents: write runs-on: ubuntu-latest needs: create-release outputs: diff --git a/.github/workflows/release-layer-ruby.yml b/.github/workflows/release-layer-ruby.yml index 378bd22236..cbfc130e75 100644 --- a/.github/workflows/release-layer-ruby.yml +++ b/.github/workflows/release-layer-ruby.yml @@ -8,10 +8,12 @@ on: permissions: id-token: write - contents: write + contents: read jobs: create-release: + permissions: + contents: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -20,6 +22,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} build-layer: + permissions: + contents: write runs-on: ubuntu-latest needs: create-release outputs: