test

Signed-off-by: ZePan110 <ze.pan@intel.com>

.github/workflows/_gmc-e2e.yml

@@ -3,7 +3,8 @@
 
 # This workflow will only test GMC pipeline and will not install GMC any more
 name: Single GMC E2e Test For CD Workflow Call
-
+permissions:
+  contents: read
 on:
   workflow_call:
     inputs:

.github/workflows/_gmc-workflow.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build and deploy GMC system on call and manual
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/dockerhub-description.yml

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Update Docker Hub Description
+permissions:
+  contents: read
 on:
   schedule:
     - cron: "0 0 * * 0"

.github/workflows/manual-docker-clean.yml

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up container on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/manual-freeze-tag.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Freeze OPEA images release tag
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/manual-image-build.yml

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Build specific images on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/manual-reset-local-registry.yml

@@ -2,6 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Clean up Local Registry on manual event
+permissions:
+  contents: read
 on:
   workflow_dispatch:
     inputs:

.github/workflows/mix-trellix.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Trellix Command Line Scanner
-
+permissions:
+  contents: read
 on:
   workflow_dispatch:
   schedule:

.github/workflows/nightly-docker-build-publish.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Nightly build/publish latest docker images
-
+permissions:
+  contents: read
 on:
   schedule:
     - cron: "30 14 * * 1-5" # UTC time

.github/workflows/pr-chart-e2e.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: E2E Test with Helm Charts
-
+permissions:
+  contents: read
 on:
   pull_request_target:
     branches: [main]

.github/workflows/pr-check-duplicated-image.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Check Duplicated Images
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]

.github/workflows/pr-code-scan.yml

@@ -2,7 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Code Scan
-
+permissions:
+  contents: read
+  security-events: write
 on:
   pull_request:
     branches: [main]

.github/workflows/pr-docker-compose-e2e.yml

@@ -3,6 +3,9 @@
 
 name: E2E test with docker compose
 
+permissions:
+  contents: read
+
 on:
   pull_request_target:
     branches: ["main", "*rc"]

.github/workflows/pr-dockerfile-path-and-build-yaml-scan.yml

@@ -2,7 +2,8 @@
 # SPDX-License-Identifier: Apache-2.0
 
 name: Compose file and dockerfile path checking
-
+permissions:
+  contents: read
 on:
   pull_request:
     branches: [main]

.github/workflows/pr-link-path-scan.yml

@@ -3,6 +3,9 @@
 
 name: Check hyperlinks and relative path validity
 
+permissions:
+  contents: read
+
 on:
   pull_request:
     branches: [main]

.github/workflows/push-image-build.yml

@@ -3,6 +3,9 @@
 # Test
 name: Build latest images on push event
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [ 'main' ]

.github/workflows/push-images-path-detection.yml

@@ -3,10 +3,12 @@
 
 name: Check the validity of links in docker_images_list.
 
+permissions:
+  contents: read
+
 on:
   push:
     branches: [main]
-    types: [opened, reopened, ready_for_review, synchronize]
 
 jobs:
   check-dockerfile-paths:

.github/workflows/push-infra-issue-creation.yml

@@ -8,6 +8,10 @@ on:
       - "**/docker_compose/**/compose*.yaml"
 
 name: Create an issue to GenAIInfra on push
+
+permissions:
+  contents: read
+
 jobs:
   job1:
     name: Create issue

.github/workflows/weekly-example-test.yml

@@ -3,13 +3,15 @@
 
 name: Weekly test all examples on multiple HWs
 
+permissions: read-all
+
 on:
   schedule:
     - cron: "30 2 * * 6" # UTC time
   workflow_dispatch:
 
 env:
-  EXAMPLES: ${{ vars.NIGHTLY_RELEASE_EXAMPLES }}
+  EXAMPLES: "CodeTrans"  #${{ vars.NIGHTLY_RELEASE_EXAMPLES }}
   NODES: "gaudi,xeon,rocm,arc"
 
 jobs: