From 49bb2b7a38a18a61dce2ca4975f313877b327c7e Mon Sep 17 00:00:00 2001 From: Sunyanan Choochotkaew Date: Tue, 20 Jan 2026 12:42:40 +0900 Subject: [PATCH] chore: secure workflow - Set read-all permission on all PR workflows - Rename token secret name - Add CODEOWNERS for workflows Signed-off-by: Sunyanan Choochotkaew --- .github/workflows/build_push_concheck.yaml | 2 +- .github/workflows/build_push_controller.yaml | 4 ++-- .github/workflows/build_push_daemon.yaml | 2 +- .github/workflows/build_push_kbuilder.yaml | 2 +- .github/workflows/commit-lint.yaml | 4 +--- .github/workflows/daemon_unittest.yaml | 2 ++ .github/workflows/golangci-lint.yaml | 2 ++ .github/workflows/integration_test.yaml | 2 ++ .github/workflows/unittest.yaml | 3 ++- .github/workflows/version-update.yml | 6 +++--- CODEOWNERS | 8 ++++++++ 11 files changed, 25 insertions(+), 12 deletions(-) create mode 100644 CODEOWNERS diff --git a/.github/workflows/build_push_concheck.yaml b/.github/workflows/build_push_concheck.yaml index 44a2b0f0..b5e0ad5d 100644 --- a/.github/workflows/build_push_concheck.yaml +++ b/.github/workflows/build_push_concheck.yaml @@ -28,7 +28,7 @@ jobs: with: registry: ghcr.io username: ${{ secrets.GH_USERNAME }} - password: ${{ secrets.GH_TOKEN }} + password: ${{ secrets.GHCR_TOKEN }} - name: Build and push concheck uses: docker/build-push-action@v2 with: diff --git a/.github/workflows/build_push_controller.yaml b/.github/workflows/build_push_controller.yaml index 02bbb6a1..fc4fc718 100644 --- a/.github/workflows/build_push_controller.yaml +++ b/.github/workflows/build_push_controller.yaml @@ -52,7 +52,7 @@ jobs: with: registry: ghcr.io username: ${{ secrets.GH_USERNAME }} - password: ${{ secrets.GH_TOKEN }} + password: ${{ secrets.GHCR_TOKEN }} - name: Build and push bundle uses: docker/build-push-action@v2 with: @@ -82,7 +82,7 @@ jobs: with: registry: ghcr.io username: ${{ secrets.GH_USERNAME }} - password: ${{ secrets.GH_TOKEN }} + password: ${{ secrets.GHCR_TOKEN }} - name: Build and push controller uses: docker/build-push-action@v2 with: diff --git a/.github/workflows/build_push_daemon.yaml b/.github/workflows/build_push_daemon.yaml index 8b4b80e9..ad32069c 100644 --- a/.github/workflows/build_push_daemon.yaml +++ b/.github/workflows/build_push_daemon.yaml @@ -33,7 +33,7 @@ jobs: with: registry: ghcr.io username: ${{ secrets.GH_USERNAME }} - password: ${{ secrets.GH_TOKEN }} + password: ${{ secrets.GHCR_TOKEN }} - name: Build and push daemon uses: docker/build-push-action@v2 with: diff --git a/.github/workflows/build_push_kbuilder.yaml b/.github/workflows/build_push_kbuilder.yaml index c6b5165a..994b8c7f 100644 --- a/.github/workflows/build_push_kbuilder.yaml +++ b/.github/workflows/build_push_kbuilder.yaml @@ -27,7 +27,7 @@ jobs: with: registry: ghcr.io username: ${{ secrets.GH_USERNAME }} - password: ${{ secrets.GH_TOKEN }} + password: ${{ secrets.GHCR_TOKEN }} - name: Build and push uses: docker/build-push-action@v2 with: diff --git a/.github/workflows/commit-lint.yaml b/.github/workflows/commit-lint.yaml index 485f2165..662bb933 100644 --- a/.github/workflows/commit-lint.yaml +++ b/.github/workflows/commit-lint.yaml @@ -2,9 +2,7 @@ name: commit-lint on: pull_request: -permissions: - contents: read - pull-requests: read +permissions: read-all jobs: commitlint: diff --git a/.github/workflows/daemon_unittest.yaml b/.github/workflows/daemon_unittest.yaml index fe762921..2b72eebf 100644 --- a/.github/workflows/daemon_unittest.yaml +++ b/.github/workflows/daemon_unittest.yaml @@ -8,6 +8,8 @@ on: - cni/** - Makefile +permissions: read-all + jobs: daemon-test: runs-on: ubuntu-latest diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 5d74fac3..4f12ff3b 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -3,6 +3,8 @@ on: pull_request: push: +permissions: read-all + env: GOLANGCI_LINT_VERSION: v1.64.8 diff --git a/.github/workflows/integration_test.yaml b/.github/workflows/integration_test.yaml index e58bd0c3..fe7c23a0 100644 --- a/.github/workflows/integration_test.yaml +++ b/.github/workflows/integration_test.yaml @@ -16,6 +16,8 @@ on: - ./*/go.mod - ./*/src/go.mod +permissions: read-all + jobs: scale-test: runs-on: ubuntu-latest diff --git a/.github/workflows/unittest.yaml b/.github/workflows/unittest.yaml index f51a26e3..018a209d 100644 --- a/.github/workflows/unittest.yaml +++ b/.github/workflows/unittest.yaml @@ -13,8 +13,9 @@ on: - ./*/go.mod - ./*/src/go.mod -jobs: +permissions: read-all +jobs: controller-test: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/version-update.yml b/.github/workflows/version-update.yml index 0b2a66b8..a8b05a84 100644 --- a/.github/workflows/version-update.yml +++ b/.github/workflows/version-update.yml @@ -1,4 +1,4 @@ -name: "Automated Version Update" +name: "Create Version Update PR" permissions: contents: write @@ -36,7 +36,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 with: - token: ${{ secrets.GH_TOKEN }} + token: ${{ secrets.GHCR_TOKEN }} - name: Configure Git run: | @@ -76,7 +76,7 @@ jobs: if: steps.check_changes.outputs.changes == 'true' uses: peter-evans/create-pull-request@v5 with: - token: ${{ secrets.GH_TOKEN }} + token: ${{ secrets.GHCR_TOKEN }} branch: chore/update-version-${{ env.NEW_VERSION }} base: main delete-branch: true diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 00000000..39b9d4b0 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,8 @@ +############################################################## +# +# List of approvers/reviewers for Multi-NIC CNI project +# +############################################################## + +# All files in workflows folder must be approved by listed active maintainers. +.github/workflows/* @sunya-ch @tatsuhirochiba @chcost \ No newline at end of file