From 2eabe6167416290ce5692b5a244d2ce33030b456 Mon Sep 17 00:00:00 2001 From: Christian Lechner <22294087+lechnerc77@users.noreply.github.com.> Date: Fri, 15 May 2026 12:36:28 +0200 Subject: [PATCH] chire: fix workflow permission --- .../build-and-publish-api-mssql-go.yml | 8 ++- ...uild-and-publish-custom-component-dapr.yml | 10 ++-- .../build-and-publish-database-mssql.yml | 6 ++- .../build-and-publish-frontend-ui5-mssql.yml | 8 ++- .../build-and-publish-onprem-mock.yml | 10 ++-- .github/workflows/build-and-publish-sapcc.yml | 6 ++- .../build-docker-custom-component-dapr.yml | 24 +++++---- .../workflows/build-docker-hana-nodejs.yml | 22 ++++---- .../workflows/build-docker-orders-service.yml | 9 +++- ...ker-sample-extension-dotnet-minimalapi.yml | 53 ++++++++++--------- .../workflows/deploy-onpremmock-to-kyma.yml | 6 ++- .../deploy-order-microservice-to-kyma.yml | 13 +++-- .github/workflows/deploy-sapcc-to-kyma.yml | 7 ++- .github/workflows/links-watcher.yml | 12 +---- 14 files changed, 114 insertions(+), 80 deletions(-) diff --git a/.github/workflows/build-and-publish-api-mssql-go.yml b/.github/workflows/build-and-publish-api-mssql-go.yml index 89beec56e..bbc08db05 100644 --- a/.github/workflows/build-and-publish-api-mssql-go.yml +++ b/.github/workflows/build-and-publish-api-mssql-go.yml @@ -7,6 +7,10 @@ env: IMAGE_NAME: api-mssql-go LABEL: 1.0.0 +permissions: + contents: read + packages: write + jobs: build_and_push: runs-on: ubuntu-latest @@ -29,7 +33,7 @@ jobs: - name: Build and push Docker image uses: docker/build-push-action@v3.1.0 with: - context: "{{defaultContext}}:dsagtt22/ordermicroservice/api-mssql-go" + context: "{{defaultContext}}:dsagtt22/ordermicroservice/api-mssql-go" push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-and-publish-custom-component-dapr.yml b/.github/workflows/build-and-publish-custom-component-dapr.yml index 15b82272c..6e2f543da 100644 --- a/.github/workflows/build-and-publish-custom-component-dapr.yml +++ b/.github/workflows/build-and-publish-custom-component-dapr.yml @@ -10,6 +10,10 @@ env: IMAGE_NAME: daprwishlistapp LABEL: 1.0.0 +permissions: + contents: read + packages: write + jobs: build_and_push: runs-on: ubuntu-latest @@ -23,13 +27,13 @@ jobs: uses: actions/setup-node@v3 with: node-version: 16 - - name: 'Install dependencies and Build' + - name: "Install dependencies and Build" shell: bash run: | pushd './custom-component-dapr' npm ci npm run build - popd + popd - name: Log in to the Container registry (GH Packages) uses: docker/login-action@v2 with: @@ -49,4 +53,4 @@ jobs: context: ./${{ env.SUBDIRECTORY }} push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-and-publish-database-mssql.yml b/.github/workflows/build-and-publish-database-mssql.yml index 1c7063a67..bae43799c 100644 --- a/.github/workflows/build-and-publish-database-mssql.yml +++ b/.github/workflows/build-and-publish-database-mssql.yml @@ -7,6 +7,10 @@ env: IMAGE_NAME: mssql LABEL: 1.0.0 +permissions: + contents: read + packages: write + jobs: build_and_push: runs-on: ubuntu-latest @@ -32,4 +36,4 @@ jobs: context: "{{defaultContext}}:dsagtt22/ordermicroservice/database-mssql" push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-and-publish-frontend-ui5-mssql.yml b/.github/workflows/build-and-publish-frontend-ui5-mssql.yml index 95239f6de..7e02f56fa 100644 --- a/.github/workflows/build-and-publish-frontend-ui5-mssql.yml +++ b/.github/workflows/build-and-publish-frontend-ui5-mssql.yml @@ -7,6 +7,10 @@ env: IMAGE_NAME: frontend-ui5-mssql LABEL: 1.0.0 +permissions: + contents: read + packages: write + jobs: build_and_push: runs-on: ubuntu-latest @@ -29,7 +33,7 @@ jobs: - name: Build and push Docker image uses: docker/build-push-action@v3.1.0 with: - context: "{{defaultContext}}:dsagtt22/ordermicroservice/frontend-ui5-mssql" + context: "{{defaultContext}}:dsagtt22/ordermicroservice/frontend-ui5-mssql" push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-and-publish-onprem-mock.yml b/.github/workflows/build-and-publish-onprem-mock.yml index 1c855a6d5..a6f240d45 100644 --- a/.github/workflows/build-and-publish-onprem-mock.yml +++ b/.github/workflows/build-and-publish-onprem-mock.yml @@ -8,6 +8,10 @@ env: IMAGE_NAME: dsagtt22-onprem-mock LABEL: 1.0.0 +permissions: + contents: read + packages: write + jobs: build_and_push: runs-on: ubuntu-latest @@ -21,13 +25,13 @@ jobs: uses: actions/setup-node@v3 with: node-version: 16 - - name: 'Install dependencies and Build' + - name: "Install dependencies and Build" shell: bash run: | pushd './dsagtt22/onprem-mock' npm ci npm run build - popd + popd - name: Log in to the Container registry (GH Packages) uses: docker/login-action@v2 with: @@ -47,4 +51,4 @@ jobs: context: ./${{ env.SUBDIRECTORY }} push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-and-publish-sapcc.yml b/.github/workflows/build-and-publish-sapcc.yml index d815f9547..7ffde36cc 100644 --- a/.github/workflows/build-and-publish-sapcc.yml +++ b/.github/workflows/build-and-publish-sapcc.yml @@ -7,6 +7,10 @@ env: IMAGE_NAME: java11-sapcc LABEL: 1.0.0 +permissions: + contents: read + packages: write + jobs: build_and_push: runs-on: ubuntu-latest @@ -32,4 +36,4 @@ jobs: context: "{{defaultContext}}:dsagtt22/CloudConnector" push: true tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/build-docker-custom-component-dapr.yml b/.github/workflows/build-docker-custom-component-dapr.yml index 71ddb9d2a..a268ded8f 100644 --- a/.github/workflows/build-docker-custom-component-dapr.yml +++ b/.github/workflows/build-docker-custom-component-dapr.yml @@ -1,38 +1,40 @@ name: Build docker for the Custom Component Sample on: push: - branches: [ main ] + branches: [main] paths: - - "custom-component-dapr/**" + - "custom-component-dapr/**" workflow_dispatch: - schedule: - - cron: '0 0 * * 0' + +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest strategy: - matrix: - node-version: [14.x, 16.x] + matrix: + node-version: [14.x, 16.x] steps: - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} - - name: 'Install dependencies and Build' + - name: "Install dependencies and Build" shell: bash run: | pushd './custom-component-dapr' npm ci npm run build --if-present popd - - name: 'Check for outdated dependencies' + - name: "Check for outdated dependencies" shell: bash run: | pushd './custom-component-dapr' npm outdated --ignore-packages dapr-client@2.0.2 popd - - name: 'Build Docker Image' + - name: "Build Docker Image" shell: bash run: | pushd './custom-component-dapr' @@ -42,5 +44,5 @@ jobs: uses: rtCamp/action-slack-notify@v2.2.0 if: ${{ failure() }} env: - SLACK_MESSAGE: 'Build Failed for ${{ env.SAMPLE_NAME }}' - SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }} + SLACK_MESSAGE: "Build Failed for ${{ env.SAMPLE_NAME }}" + SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }} diff --git a/.github/workflows/build-docker-hana-nodejs.yml b/.github/workflows/build-docker-hana-nodejs.yml index 947acba4a..1efd23f22 100644 --- a/.github/workflows/build-docker-hana-nodejs.yml +++ b/.github/workflows/build-docker-hana-nodejs.yml @@ -1,36 +1,40 @@ name: Build docker for the HANA Node.js Sample on: push: - branches: [ main ] + branches: [main] paths: - - "hana-nodejs/**" + - "hana-nodejs/**" workflow_dispatch: + +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest strategy: - matrix: - node-version: [16.x, 18.x] + matrix: + node-version: [16.x, 18.x] steps: - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} - - name: 'Install dependencies and Build' + - name: "Install dependencies and Build" shell: bash run: | pushd './hana-nodejs/app' npm ci npm run build --if-present popd - - name: 'Check for outdated dependencies' + - name: "Check for outdated dependencies" shell: bash run: | pushd './hana-nodejs/app' npm outdated popd - - name: 'Build Docker Image' + - name: "Build Docker Image" shell: bash run: | pushd './hana-nodejs' @@ -40,5 +44,5 @@ jobs: uses: rtCamp/action-slack-notify@v2.2.0 if: ${{ failure() }} env: - SLACK_MESSAGE: 'Build Failed for ${{ env.SAMPLE_NAME }}' - SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }} + SLACK_MESSAGE: "Build Failed for ${{ env.SAMPLE_NAME }}" + SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }} diff --git a/.github/workflows/build-docker-orders-service.yml b/.github/workflows/build-docker-orders-service.yml index 0447ca544..d61c8229f 100644 --- a/.github/workflows/build-docker-orders-service.yml +++ b/.github/workflows/build-docker-orders-service.yml @@ -1,10 +1,15 @@ name: Build docker for the Orders Service Sample on: push: - branches: [ main ] + branches: [main] paths: - - "orders-service/**" + - "orders-service/**" workflow_dispatch: + +permissions: + contents: read + packages: write + env: REGISTRY: ghcr.io SUBDIRECTORY: orders-service diff --git a/.github/workflows/build-docker-sample-extension-dotnet-minimalapi.yml b/.github/workflows/build-docker-sample-extension-dotnet-minimalapi.yml index 3dc8a1ab2..b6d4b5017 100644 --- a/.github/workflows/build-docker-sample-extension-dotnet-minimalapi.yml +++ b/.github/workflows/build-docker-sample-extension-dotnet-minimalapi.yml @@ -2,36 +2,37 @@ name: Build docker sample-extension-dotnet-minimalapi on: push: - branches: [ main ] + branches: [main] paths: - - "sample-extension-dotnet-minimalapi/**" + - "sample-extension-dotnet-minimalapi/**" workflow_dispatch: - schedule: - - cron: '0 0 * * 0' + +permissions: + contents: read jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-dotnet@v2 - with: - dotnet-version: '6.0.x' - - name: 'Build .NET Project' - shell: bash - run: | - pushd './sample-extension-dotnet-minimalapi/TodoApi' - dotnet publish -c Release - popd - - name: Build the Docker image - shell: bash - run: | - pushd './sample-extension-dotnet-minimalapi/' - make build-image - popd - - name: Slack Notify - uses: rtCamp/action-slack-notify@v2.2.0 - if: ${{ failure() }} - env: - SLACK_MESSAGE: 'Build Failed for ${{ env.SAMPLE_NAME }}' - SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }} + - uses: actions/checkout@v3 + - uses: actions/setup-dotnet@v2 + with: + dotnet-version: "6.0.x" + - name: "Build .NET Project" + shell: bash + run: | + pushd './sample-extension-dotnet-minimalapi/TodoApi' + dotnet publish -c Release + popd + - name: Build the Docker image + shell: bash + run: | + pushd './sample-extension-dotnet-minimalapi/' + make build-image + popd + - name: Slack Notify + uses: rtCamp/action-slack-notify@v2.2.0 + if: ${{ failure() }} + env: + SLACK_MESSAGE: "Build Failed for ${{ env.SAMPLE_NAME }}" + SLACK_WEBHOOK: ${{ secrets.BUILD_FAIL_NOTIFY_SLACK_URL }} diff --git a/.github/workflows/deploy-onpremmock-to-kyma.yml b/.github/workflows/deploy-onpremmock-to-kyma.yml index ae00ff32e..2901a4fc8 100644 --- a/.github/workflows/deploy-onpremmock-to-kyma.yml +++ b/.github/workflows/deploy-onpremmock-to-kyma.yml @@ -1,10 +1,13 @@ -name: DSAG TT 2022 - Deploy on prem mock to Kyma +name: DSAG TT 2022 - Deploy on prem mock to Kyma on: workflow_dispatch: {} env: NAMESPACE: dsagtt22-sapcc +permissions: + contents: read + jobs: execute_deployment: runs-on: ubuntu-latest @@ -19,4 +22,3 @@ jobs: - name: Execute deployment of on-premise mock run: | kubectl apply -f dsagtt22/onprem-mock/k8s/deployment.yaml - \ No newline at end of file diff --git a/.github/workflows/deploy-order-microservice-to-kyma.yml b/.github/workflows/deploy-order-microservice-to-kyma.yml index 707eed1c5..7b21e26a5 100644 --- a/.github/workflows/deploy-order-microservice-to-kyma.yml +++ b/.github/workflows/deploy-order-microservice-to-kyma.yml @@ -5,6 +5,9 @@ on: env: NAMESPACE: dsagtt22 +permissions: + contents: read + jobs: execute_deployment: runs-on: ubuntu-latest @@ -24,23 +27,23 @@ jobs: run: | echo "*** Create secret ***" kubectl apply -f dsagtt22/ordermicroservice/database-mssql/k8s/secret.yaml -n ${{ env.NAMESPACE }} - echo "*** Create persistent volume claim ***" + echo "*** Create persistent volume claim ***" kubectl apply -f dsagtt22/ordermicroservice/database-mssql/k8s/pvc.yaml -n ${{ env.NAMESPACE }} echo "*** Create deployment ***" kubectl apply -f dsagtt22/ordermicroservice/database-mssql/k8s/deployment.yaml -n ${{ env.NAMESPACE }} - name: Setup GO API for MS SQL in Kyma run: | - echo "*** Create configmap ***" + echo "*** Create configmap ***" kubectl apply -f dsagtt22/ordermicroservice/api-mssql-go/k8s/configmap.yaml -n ${{ env.NAMESPACE }} echo "*** Create deployment ***" kubectl apply -f dsagtt22/ordermicroservice/api-mssql-go/k8s/deployment.yaml -n ${{ env.NAMESPACE }} echo "*** Create API rule ***" - kubectl apply -f dsagtt22/ordermicroservice/api-mssql-go/k8s/apirule.yaml -n ${{ env.NAMESPACE }} + kubectl apply -f dsagtt22/ordermicroservice/api-mssql-go/k8s/apirule.yaml -n ${{ env.NAMESPACE }} - name: Setup UI5 frontend for MS SQL in Kyma run: | - echo "*** Create configmap ***" + echo "*** Create configmap ***" kubectl apply -f dsagtt22/ordermicroservice/frontend-ui5-mssql/k8s/configmap.yaml -n ${{ env.NAMESPACE }} echo "*** Create deployment ***" kubectl apply -f dsagtt22/ordermicroservice/frontend-ui5-mssql/k8s/deployment.yaml -n ${{ env.NAMESPACE }} echo "*** Create API rule ***" - kubectl apply -f dsagtt22/ordermicroservice/frontend-ui5-mssql/k8s/apirule.yaml -n ${{ env.NAMESPACE }} \ No newline at end of file + kubectl apply -f dsagtt22/ordermicroservice/frontend-ui5-mssql/k8s/apirule.yaml -n ${{ env.NAMESPACE }} diff --git a/.github/workflows/deploy-sapcc-to-kyma.yml b/.github/workflows/deploy-sapcc-to-kyma.yml index f9c1b4ac3..971a88272 100644 --- a/.github/workflows/deploy-sapcc-to-kyma.yml +++ b/.github/workflows/deploy-sapcc-to-kyma.yml @@ -1,10 +1,13 @@ -name: DSAG TT 2022 - Deploy SAP Cloud Connector to Kyma +name: DSAG TT 2022 - Deploy SAP Cloud Connector to Kyma on: workflow_dispatch: {} env: NAMESPACE: dsagtt22-sapcc +permissions: + contents: read + jobs: execute_deployment: runs-on: ubuntu-latest @@ -27,4 +30,4 @@ jobs: kubectl apply -f dsagtt22/CloudConnector/k8s/deployment.yaml - name: Create service in Kyma run: | - kubectl apply -f dsagtt22/CloudConnector/k8s/service.yaml \ No newline at end of file + kubectl apply -f dsagtt22/CloudConnector/k8s/service.yaml diff --git a/.github/workflows/links-watcher.yml b/.github/workflows/links-watcher.yml index 39fdf6db1..f2b0b54fa 100644 --- a/.github/workflows/links-watcher.yml +++ b/.github/workflows/links-watcher.yml @@ -9,7 +9,7 @@ on: permissions: contents: read - issues: write + issues: write jobs: links-watcher: @@ -26,13 +26,3 @@ jobs: output: ./lychee/out.md env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - #- name: Create issue when fail - # uses: peter-evans/create-issue-from-file@v5 - # if: ${{ steps.lychee.outputs.exit_code }} != 0 - # with: - # title: Link Checker Report - # content-filepath: ./lychee/out.md - # labels: broken link, automated issue - # env: - # GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}