Fix

Signed-off-by: ZePan110 <ze.pan@intel.com>
2025-05-20 15:17:17 +08:00
parent 26cb531766
commit d9e7264a81
19 changed files with 45 additions and 10 deletions
--- a/.github/workflows/_gmc-e2e.yml
+++ b/.github/workflows/_gmc-e2e.yml
@@ -3,7 +3,8 @@

 # This workflow will only test GMC pipeline and will not install GMC any more
 name: Single GMC E2e Test For CD Workflow Call
-
+permissions:
+  contents: read
 on:
  workflow_call:
    inputs:
--- a/.github/workflows/_gmc-workflow.yml
+++ b/.github/workflows/_gmc-workflow.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Build and deploy GMC system on call and manual
-
+permissions:
+  contents: read
 on:
  workflow_dispatch:
    inputs:
--- a/.github/workflows/dockerhub-description.yml
+++ b/.github/workflows/dockerhub-description.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Update Docker Hub Description
+permissions:
+  contents: read
 on:
  schedule:
    - cron: "0 0 * * 0"
--- a/.github/workflows/manual-docker-clean.yml
+++ b/.github/workflows/manual-docker-clean.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Clean up container on manual event
+permissions:
+  contents: read
 on:
  workflow_dispatch:
    inputs:
--- a/.github/workflows/manual-freeze-tag.yml
+++ b/.github/workflows/manual-freeze-tag.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Freeze OPEA images release tag
-
+permissions:
+  contents: read
 on:
  workflow_dispatch:
    inputs:
--- a/.github/workflows/manual-image-build.yml
+++ b/.github/workflows/manual-image-build.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Build specific images on manual event
+permissions:
+  contents: read
 on:
  workflow_dispatch:
    inputs:
--- a/.github/workflows/manual-reset-local-registry.yml
+++ b/.github/workflows/manual-reset-local-registry.yml
@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Clean up Local Registry on manual event
+permissions:
+  contents: read
 on:
  workflow_dispatch:
    inputs:
--- a/.github/workflows/mix-trellix.yml
+++ b/.github/workflows/mix-trellix.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Trellix Command Line Scanner
-
+permissions:
+  contents: read
 on:
  workflow_dispatch:
  schedule:
--- a/.github/workflows/nightly-docker-build-publish.yml
+++ b/.github/workflows/nightly-docker-build-publish.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Nightly build/publish latest docker images
-
+permissions:
+  contents: read
 on:
  schedule:
    - cron: "30 14 * * 1-5" # UTC time
--- a/.github/workflows/pr-chart-e2e.yml
+++ b/.github/workflows/pr-chart-e2e.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: E2E Test with Helm Charts
-
+permissions:
+  contents: read
 on:
  pull_request_target:
    branches: [main]
--- a/.github/workflows/pr-check-duplicated-image.yml
+++ b/.github/workflows/pr-check-duplicated-image.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Check Duplicated Images
-
+permissions:
+  contents: read
 on:
  pull_request:
    branches: [main]
--- a/.github/workflows/pr-code-scan.yml
+++ b/.github/workflows/pr-code-scan.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Code Scan
-
+permissions:
+  contents: read
 on:
  pull_request:
    branches: [main]
--- a/.github/workflows/pr-docker-compose-e2e.yml
+++ b/.github/workflows/pr-docker-compose-e2e.yml
@@ -3,6 +3,9 @@

 name: E2E test with docker compose

+permissions:
+  contents: read
+
 on:
  pull_request_target:
    branches: ["main", "*rc"]
--- a/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml
+++ b/.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml
@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0

 name: Compose file and dockerfile path checking
-
+permissions:
+  contents: read
 on:
  pull_request:
    branches: [main]
--- a/.github/workflows/pr-link-path-scan.yml
+++ b/.github/workflows/pr-link-path-scan.yml
@@ -3,6 +3,9 @@

 name: Check hyperlinks and relative path validity

+permissions:
+  contents: read
+
 on:
  pull_request:
    branches: [main]
--- a/.github/workflows/push-image-build.yml
+++ b/.github/workflows/push-image-build.yml
@@ -3,6 +3,9 @@
 # Test
 name: Build latest images on push event

+permissions:
+  contents: read
+
 on:
  push:
    branches: [ 'main' ]
--- a/.github/workflows/push-images-path-detection.yml
+++ b/.github/workflows/push-images-path-detection.yml
@@ -3,10 +3,12 @@

 name: Check the validity of links in docker_images_list.

+permissions:
+  contents: read
+
 on:
  push:
    branches: [main]
-    types: [opened, reopened, ready_for_review, synchronize]

 jobs:
  check-dockerfile-paths:
--- a/.github/workflows/push-infra-issue-creation.yml
+++ b/.github/workflows/push-infra-issue-creation.yml
@@ -8,6 +8,10 @@ on:
      - "**/docker_compose/**/compose*.yaml"

 name: Create an issue to GenAIInfra on push
+
+permissions:
+  contents: read
+
 jobs:
  job1:
    name: Create issue
--- a/.github/workflows/weekly-example-test.yml
+++ b/.github/workflows/weekly-example-test.yml
@@ -3,6 +3,9 @@

 name: Weekly test all examples on multiple HWs

+permissions:
+  contents: read
+
 on:
  schedule:
    - cron: "30 2 * * 6" # UTC time