From 0d67b3eecd04565de7bce417ab75bca02397dad7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:19:04 +0000 Subject: [PATCH 1/3] Initial plan From e7258ab03c3bfac02ecfe95f99aa90999d82f501 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 27 Mar 2026 10:22:06 +0000 Subject: [PATCH 2/3] fix: scope workflow permissions per-job in pipeline.yml Agent-Logs-Url: https://github.com/platform-mesh/platform-mesh-operator/sessions/eefd1f4c-332f-49ec-b0fd-7f131e2d86c4 Co-authored-by: ntnn <10514301+ntnn@users.noreply.github.com> --- .github/workflows/pipeline.yml | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index c1ba3905..e1b6db3d 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -1,8 +1,4 @@ name: pipeline -permissions: - contents: write - pull-requests: write - packages: write on: workflow_call: inputs: @@ -84,20 +80,29 @@ on: jobs: auto-labeler: if: ${{ (github.head_ref || github.ref) != format('refs/heads/{0}',inputs.release_branch) }} + permissions: + pull-requests: write + contents: read uses: platform-mesh/.github/.github/workflows/job-auto-labeler.yml@main secrets: inherit createVersion: if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} + permissions: + contents: write uses: platform-mesh/.github/.github/workflows/job-create-version.yml@main secrets: inherit lint: + permissions: + contents: read uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main with: useTask: ${{ inputs.useTask }} testSource: + permissions: + contents: read uses: ./.github/workflows/job-golang-test-source.yml secrets: inherit with: @@ -110,6 +115,9 @@ jobs: dockerBuild: if: ${{ (github.head_ref || github.ref) != format('refs/heads/{0}',inputs.release_branch) }} + permissions: + packages: write + contents: read uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main with: imageTagName: ${{ inputs.imageTagName }} @@ -120,6 +128,9 @@ jobs: dockerBuildAndPush: if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} needs: [createVersion,lint,testSource] + permissions: + packages: write + contents: read uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main with: imageTagName: ${{ inputs.imageTagName }} @@ -131,6 +142,8 @@ jobs: updateVersion: needs: [createVersion, dockerBuildAndPush] if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} + permissions: + contents: read uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@main secrets: inherit with: From 230a0353937b54cac535932bd28daf074c52e360 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 28 Mar 2026 01:56:08 +0000 Subject: [PATCH 3/3] chore: update workflow refs to pinned hashes from main Agent-Logs-Url: https://github.com/platform-mesh/platform-mesh-operator/sessions/a3efb00a-88dd-4bea-8a14-ef7ca2cca42d Co-authored-by: ntnn <10514301+ntnn@users.noreply.github.com> --- .github/workflows/pipeline.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index e1b6db3d..ec87511d 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -83,20 +83,20 @@ jobs: permissions: pull-requests: write contents: read - uses: platform-mesh/.github/.github/workflows/job-auto-labeler.yml@main + uses: platform-mesh/.github/.github/workflows/job-auto-labeler.yml@07550bab80de7691f4947214ee342351896e209b # main secrets: inherit createVersion: if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} permissions: contents: write - uses: platform-mesh/.github/.github/workflows/job-create-version.yml@main + uses: platform-mesh/.github/.github/workflows/job-create-version.yml@07550bab80de7691f4947214ee342351896e209b # main secrets: inherit lint: permissions: contents: read - uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@main + uses: platform-mesh/.github/.github/workflows/job-golang-lint.yml@07550bab80de7691f4947214ee342351896e209b # main with: useTask: ${{ inputs.useTask }} @@ -118,7 +118,7 @@ jobs: permissions: packages: write contents: read - uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main + uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@07550bab80de7691f4947214ee342351896e209b # main with: imageTagName: ${{ inputs.imageTagName }} release_branch: ${{ inputs.release_branch }} @@ -131,7 +131,7 @@ jobs: permissions: packages: write contents: read - uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@main + uses: platform-mesh/.github/.github/workflows/job-docker-build-push.yml@07550bab80de7691f4947214ee342351896e209b # main with: imageTagName: ${{ inputs.imageTagName }} version: ${{ needs.createVersion.outputs.version }} @@ -144,7 +144,7 @@ jobs: if: ${{ (github.head_ref || github.ref) == format('refs/heads/{0}',inputs.release_branch) }} permissions: contents: read - uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@main + uses: platform-mesh/.github/.github/workflows/job-chart-version-update.yml@07550bab80de7691f4947214ee342351896e209b # main secrets: inherit with: appVersion: ${{ needs.createVersion.outputs.version }}