diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 752dd99..9b6c10f 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -26,7 +26,7 @@ It is not: - [ ] Should use sentence case for the names of workflows and steps (for example, "Run tests"). - [ ] Should be named _only_ by the name of the language or platform (for example, "Go", not "Go CI" or "Go Build"). - [ ] Should include comments in the workflow for any parts that are not obvious or could use clarification. -- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. +- [ ] Should specify least priviledge [permissions](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token) for `GITHUB_TOKEN` so that the workflow runs successfully. **For _CI_ workflows, the workflow:** @@ -38,7 +38,7 @@ It is not: **For _Code Scanning_ workflows, the workflow:** -- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/ci). +- [ ] Should be preserved under [the `code-scanning` directory](https://github.com/actions/starter-workflows/tree/main/code-scanning). - [ ] Should include a matching `code-scanning/properties/*.properties.json` file (for example, [`code-scanning/properties/codeql.properties.json`](https://github.com/actions/starter-workflows/blob/main/code-scanning/properties/codeql.properties.json)), with properties set as follows: - [ ] `name`: Name of the Code Scanning integration. - [ ] `organization`: Name of the organization producing the Code Scanning integration. diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml index 0e72a00..8966511 100644 --- a/code-scanning/dependency-review.yml +++ b/code-scanning/dependency-review.yml @@ -1,6 +1,6 @@ # Dependency Review Action # -# This Action will scan dependency manifest files that change as part of a Pull Reqest, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement diff --git a/deployments/azure-container-webapp.yml b/deployments/azure-container-webapp.yml index c882bde..8b69065 100644 --- a/deployments/azure-container-webapp.yml +++ b/deployments/azure-container-webapp.yml @@ -35,6 +35,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: file: ./Dockerfile deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-kubernetes-service-helm.yml b/deployments/azure-kubernetes-service-helm.yml index 510abcd..a6a2f4e 100644 --- a/deployments/azure-kubernetes-service-helm.yml +++ b/deployments/azure-kubernetes-service-helm.yml @@ -120,6 +120,9 @@ jobs: runs-on: ubuntu-latest needs: [buildImage, createSecret] steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 diff --git a/deployments/azure-kubernetes-service-kompose.yml b/deployments/azure-kubernetes-service-kompose.yml index 0cf23ba..60fe536 100644 --- a/deployments/azure-kubernetes-service-kompose.yml +++ b/deployments/azure-kubernetes-service-kompose.yml @@ -31,6 +31,12 @@ name: Build and deploy an app to AKS with Kompose +on: + push: + branches: + - $default-branch + workflow_dispatch: + env: AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" CONTAINER_NAME: "your-container-name" @@ -148,4 +154,4 @@ jobs: images: | ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/deployments/azure-kubernetes-service-kustomize.yml b/deployments/azure-kubernetes-service-kustomize.yml index 14469db..d46cadb 100644 --- a/deployments/azure-kubernetes-service-kustomize.yml +++ b/deployments/azure-kubernetes-service-kustomize.yml @@ -74,9 +74,6 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - # Logs in with your Azure credentials - name: Azure login uses: azure/login@v1.4.3 diff --git a/deployments/azure-staticwebapp.yml b/deployments/azure-staticwebapp.yml index becfede..a40ecc2 100644 --- a/deployments/azure-staticwebapp.yml +++ b/deployments/azure-staticwebapp.yml @@ -28,8 +28,14 @@ env: APP_ARTIFACT_LOCATION: "build" # location of client code build output AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app +permissions: + contents: read + jobs: build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') runs-on: ubuntu-latest name: Build and Deploy Job @@ -52,6 +58,8 @@ jobs: ###### End of Repository/Build Configurations ###### close_pull_request_job: + permissions: + contents: none if: github.event_name == 'pull_request' && github.event.action == 'closed' runs-on: ubuntu-latest name: Close Pull Request Job diff --git a/deployments/azure-webapps-dotnet-core.yml b/deployments/azure-webapps-dotnet-core.yml index 3357dc8..0b59686 100644 --- a/deployments/azure-webapps-dotnet-core.yml +++ b/deployments/azure-webapps-dotnet-core.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -63,6 +66,8 @@ jobs: path: ${{env.DOTNET_ROOT}}/myapp deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index d29b0c9..6e3df8d 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -30,6 +30,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -54,6 +57,8 @@ jobs: path: '${{ github.workspace }}/target/*.jar' deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-node.yml b/deployments/azure-webapps-node.yml index c967bdb..1480c92 100644 --- a/deployments/azure-webapps-node.yml +++ b/deployments/azure-webapps-node.yml @@ -28,6 +28,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root NODE_VERSION: '14.x' # set this to the node version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -53,6 +56,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-php.yml b/deployments/azure-webapps-php.yml index 04f55f4..98e8dc7 100644 --- a/deployments/azure-webapps-php.yml +++ b/deployments/azure-webapps-php.yml @@ -30,6 +30,9 @@ env: AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root PHP_VERSION: '8.x' # set this to the PHP version to use +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -74,6 +77,8 @@ jobs: path: . deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: diff --git a/deployments/azure-webapps-python.yml b/deployments/azure-webapps-python.yml index af6a9dd..50f4823 100644 --- a/deployments/azure-webapps-python.yml +++ b/deployments/azure-webapps-python.yml @@ -29,6 +29,9 @@ on: - $default-branch workflow_dispatch: +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -61,6 +64,8 @@ jobs: !venv/ deploy: + permissions: + contents: none runs-on: ubuntu-latest needs: build environment: