diff --git a/.github/workflows/code-scanning.yaml b/.github/workflows/code-scanning.yaml index 7ca3e453c..1baa3087a 100644 --- a/.github/workflows/code-scanning.yaml +++ b/.github/workflows/code-scanning.yaml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v7 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@v4 diff --git a/.github/workflows/config-checks.yaml b/.github/workflows/config-checks.yaml index 412d21531..0d2fa7674 100644 --- a/.github/workflows/config-checks.yaml +++ b/.github/workflows/config-checks.yaml @@ -18,6 +18,9 @@ on: workflow_call: workflow_dispatch: +permissions: + contents: read + jobs: helm-lint: runs-on: ubuntu-latest @@ -25,6 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v7 + with: + persist-credentials: false - name: Install Helm uses: azure/setup-helm@v5.0.0 id: install @@ -36,6 +41,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v7 + with: + persist-credentials: false - name: Get Golang version id: vars run: | @@ -53,6 +60,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v7 + with: + persist-credentials: false - name: Get Golang version id: vars run: | @@ -63,4 +72,3 @@ jobs: with: go-version: ${{ env.GOLANG_VERSION }} - run: make validate-helm-values - diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index bc9a2d569..266fadd96 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v7 + with: + persist-credentials: false - name: Get Golang version id: vars run: | diff --git a/.github/workflows/e2e-tests.yaml b/.github/workflows/e2e-tests.yaml index 6c48d37d6..177e5ff6a 100644 --- a/.github/workflows/e2e-tests.yaml +++ b/.github/workflows/e2e-tests.yaml @@ -82,6 +82,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Download values override file if: ${{ inputs.use_values_override }} uses: actions/download-artifact@v8 @@ -148,6 +150,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Download values override file if: ${{ inputs.use_values_override }} uses: actions/download-artifact@v8 diff --git a/.github/workflows/forward-compatibility.yaml b/.github/workflows/forward-compatibility.yaml index f26a55376..baaf63a71 100644 --- a/.github/workflows/forward-compatibility.yaml +++ b/.github/workflows/forward-compatibility.yaml @@ -33,12 +33,14 @@ jobs: contents: read steps: - uses: actions/checkout@v7 - + with: + persist-credentials: false + - name: Install regctl uses: regclient/actions/regctl-installer@148669fe4b19151fcab6e00c6df2db43b9e2b097 with: release: v0.11.3 - + - name: Get latest component images and generate values override file env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -46,20 +48,20 @@ jobs: # Fetch latest images from component repositories echo "::notice::Fetching latest container-toolkit image..." TOOLKIT=$(.github/scripts/get-latest-images.sh toolkit) - + echo "::notice::Fetching latest device-plugin image..." DEVICE_PLUGIN=$(.github/scripts/get-latest-images.sh device-plugin) - + echo "::notice::Fetching latest mig-manager image..." MIG_MANAGER=$(.github/scripts/get-latest-images.sh mig-manager) - + # Generate values override file .github/scripts/generate-values-overrides.sh \ values-overrides.yaml \ "${TOOLKIT}" \ "${DEVICE_PLUGIN}" \ "${MIG_MANAGER}" - + - name: Upload values override file uses: actions/upload-artifact@v7 with: diff --git a/.github/workflows/golang-checks.yaml b/.github/workflows/golang-checks.yaml index afa4f9557..52af87aef 100644 --- a/.github/workflows/golang-checks.yaml +++ b/.github/workflows/golang-checks.yaml @@ -28,6 +28,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Checkout code + with: + persist-credentials: false - name: Get Golang version id: vars run: | @@ -63,6 +65,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v7 + with: + persist-credentials: false - name: Get Golang version id: vars run: | @@ -89,4 +93,6 @@ jobs: steps: - uses: actions/checkout@v7 name: Checkout code + with: + persist-credentials: false - run: make docker-build diff --git a/.github/workflows/image-builds.yaml b/.github/workflows/image-builds.yaml index a0f8a1da1..e9b830c48 100644 --- a/.github/workflows/image-builds.yaml +++ b/.github/workflows/image-builds.yaml @@ -86,6 +86,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: @@ -118,6 +120,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: @@ -146,6 +150,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: @@ -163,4 +169,3 @@ jobs: ${OPERATOR_IMAGE_AMD} \ ${OPERATOR_IMAGE_ARM} docker manifest push ${OPERATOR_MULTIARCH_IMAGE} - diff --git a/.github/workflows/publish-helm-oci-chart.yaml b/.github/workflows/publish-helm-oci-chart.yaml index 2b637f228..e1af8b293 100644 --- a/.github/workflows/publish-helm-oci-chart.yaml +++ b/.github/workflows/publish-helm-oci-chart.yaml @@ -39,6 +39,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Set up Helm uses: azure/setup-helm@v5.0.0 diff --git a/.github/workflows/release-image-list.yaml b/.github/workflows/release-image-list.yaml index 2a4358962..3b707967e 100644 --- a/.github/workflows/release-image-list.yaml +++ b/.github/workflows/release-image-list.yaml @@ -34,6 +34,7 @@ jobs: name: Check out code with: ref: ${{ github.event.release.tag_name }} + persist-credentials: false - name: Set up Python uses: actions/setup-python@v6 with: @@ -66,6 +67,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Download image list artifact uses: actions/download-artifact@v8 with: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bb4f4f092..b985b18d2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -68,6 +68,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Install regctl uses: regclient/actions/regctl-installer@148669fe4b19151fcab6e00c6df2db43b9e2b097 with: @@ -91,6 +93,8 @@ jobs: steps: - uses: actions/checkout@v7 name: Check out code + with: + persist-credentials: false - name: Login to GitHub Container Registry uses: docker/login-action@v4 with: @@ -114,4 +118,3 @@ jobs: BUNDLE_IMAGE_BASE="ghcr.io/nvidia/gpu-operator/gpu-operator-bundle" make push-bundle-image BUNDLE_IMAGE=${BUNDLE_IMAGE_BASE}:${{ github.ref_name }}-latest make push-bundle-image BUNDLE_IMAGE=${BUNDLE_IMAGE_BASE}:${COMMIT_SHORT_SHA} - diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 219bdd586..8590e3d18 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -5,12 +5,15 @@ on: schedule: - cron: "21 4 * * *" +permissions: {} + jobs: stale: permissions: actions: write issues: write runs-on: ubuntu-latest + timeout-minutes: 10 steps: - uses: actions/stale@v10