diff --git a/.github/workflows/bananapi-m1-plus.yml b/.github/workflows/bananapi-m1-plus.yml index ef609060da..b6e8e26a5b 100644 --- a/.github/workflows/bananapi-m1-plus.yml +++ b/.github/workflows/bananapi-m1-plus.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone-ai64.yml b/.github/workflows/beaglebone-ai64.yml index 70d2d90483..76565831e1 100644 --- a/.github/workflows/beaglebone-ai64.yml +++ b/.github/workflows/beaglebone-ai64.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone-pocket.yml b/.github/workflows/beaglebone-pocket.yml index 9da17b60b9..50fcd3327d 100644 --- a/.github/workflows/beaglebone-pocket.yml +++ b/.github/workflows/beaglebone-pocket.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/beaglebone.yml b/.github/workflows/beaglebone.yml index 78e747426a..cf63899b78 100644 --- a/.github/workflows/beaglebone.yml +++ b/.github/workflows/beaglebone.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/generic-aarch64.yml b/.github/workflows/generic-aarch64.yml index a9fe5728d4..e669a6cd5d 100644 --- a/.github/workflows/generic-aarch64.yml +++ b/.github/workflows/generic-aarch64.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/generic-amd64.yml b/.github/workflows/generic-amd64.yml index cbca4b5cf9..a0d364041f 100644 --- a/.github/workflows/generic-amd64.yml +++ b/.github/workflows/generic-amd64.yml @@ -14,12 +14,19 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto # FIXME: This workflow has dependencies on scripts in the balena-yocto-scripts repository # which is pinned separately as a submodule in the device repo. Expect some drift but try to retain compatibility. - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/genericx86-64-ext.yml b/.github/workflows/genericx86-64-ext.yml index 9444662281..e675352691 100644 --- a/.github/workflows/genericx86-64-ext.yml +++ b/.github/workflows/genericx86-64-ext.yml @@ -14,12 +14,19 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto # FIXME: This workflow has dependencies on scripts in the balena-yocto-scripts repository # which is pinned separately as a submodule in the device repo. Expect some drift but try to retain compatibility. - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/genericx86-64.yml b/.github/workflows/genericx86-64.yml index 32ef72d465..e55a51c955 100644 --- a/.github/workflows/genericx86-64.yml +++ b/.github/workflows/genericx86-64.yml @@ -14,12 +14,19 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto # FIXME: This workflow has dependencies on scripts in the balena-yocto-scripts repository # which is pinned separately as a submodule in the device repo. Expect some drift but try to retain compatibility. - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/imx6ul-var-dart.yml b/.github/workflows/imx6ul-var-dart.yml index 684b0c89ba..9fc4d32f2e 100644 --- a/.github/workflows/imx6ul-var-dart.yml +++ b/.github/workflows/imx6ul-var-dart.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/imx7-var-som.yml b/.github/workflows/imx7-var-som.yml index 7b35eda16a..81f64d0054 100644 --- a/.github/workflows/imx7-var-som.yml +++ b/.github/workflows/imx7-var-som.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/iot-gate-imx8.yml b/.github/workflows/iot-gate-imx8.yml index 669829594b..8729c20aa9 100644 --- a/.github/workflows/iot-gate-imx8.yml +++ b/.github/workflows/iot-gate-imx8.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/iot-gate-imx8plus.yml b/.github/workflows/iot-gate-imx8plus.yml index 506d4f2c41..3b3ebc93fb 100644 --- a/.github/workflows/iot-gate-imx8plus.yml +++ b/.github/workflows/iot-gate-imx8plus.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-agx-orin-devkit.yml b/.github/workflows/jetson-agx-orin-devkit.yml index e474974e56..ba764f7c5b 100644 --- a/.github/workflows/jetson-agx-orin-devkit.yml +++ b/.github/workflows/jetson-agx-orin-devkit.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-nano.yml b/.github/workflows/jetson-nano.yml index 926d9d4380..bbd2c266ab 100644 --- a/.github/workflows/jetson-nano.yml +++ b/.github/workflows/jetson-nano.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-tx2.yml b/.github/workflows/jetson-tx2.yml index e9b40fd674..d8dc94ba72 100644 --- a/.github/workflows/jetson-tx2.yml +++ b/.github/workflows/jetson-tx2.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/jetson-xavier.yml b/.github/workflows/jetson-xavier.yml index 8066a1a0dd..60f0108636 100644 --- a/.github/workflows/jetson-xavier.yml +++ b/.github/workflows/jetson-xavier.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/nanopi-neo-air.yml b/.github/workflows/nanopi-neo-air.yml index 8ae90c2ee4..485741692f 100644 --- a/.github/workflows/nanopi-neo-air.yml +++ b/.github/workflows/nanopi-neo-air.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/nanopi-r2c.yml b/.github/workflows/nanopi-r2c.yml index f6894c82d3..868c21740d 100644 --- a/.github/workflows/nanopi-r2c.yml +++ b/.github/workflows/nanopi-r2c.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/orangepi-plus2.yml b/.github/workflows/orangepi-plus2.yml index 58b43498fa..5f82d89d4b 100644 --- a/.github/workflows/orangepi-plus2.yml +++ b/.github/workflows/orangepi-plus2.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/owa5x.yml b/.github/workflows/owa5x.yml index 96288065d9..dc8a7c7650 100644 --- a/.github/workflows/owa5x.yml +++ b/.github/workflows/owa5x.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/raspberrypi.yml b/.github/workflows/raspberrypi.yml index 1d155e6937..4febead7f6 100644 --- a/.github/workflows/raspberrypi.yml +++ b/.github/workflows/raspberrypi.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/raspberrypi2.yml b/.github/workflows/raspberrypi2.yml index 4fdb65d913..1c187fa608 100644 --- a/.github/workflows/raspberrypi2.yml +++ b/.github/workflows/raspberrypi2.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/raspberrypi3-64.yml b/.github/workflows/raspberrypi3-64.yml index 0deb292e42..b2b8edc12f 100644 --- a/.github/workflows/raspberrypi3-64.yml +++ b/.github/workflows/raspberrypi3-64.yml @@ -14,12 +14,19 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto # FIXME: This workflow has dependencies on scripts in the balena-yocto-scripts repository # which is pinned separately as a submodule in the device repo. Expect some drift but try to retain compatibility. - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/raspberrypi3.yml b/.github/workflows/raspberrypi3.yml index 618c14d93a..22537f5c8b 100644 --- a/.github/workflows/raspberrypi3.yml +++ b/.github/workflows/raspberrypi3.yml @@ -14,12 +14,19 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto # FIXME: This workflow has dependencies on scripts in the balena-yocto-scripts repository # which is pinned separately as a submodule in the device repo. Expect some drift but try to retain compatibility. - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/raspberrypi4-64.yml b/.github/workflows/raspberrypi4-64.yml index 9a430c7ab1..8265402149 100644 --- a/.github/workflows/raspberrypi4-64.yml +++ b/.github/workflows/raspberrypi4-64.yml @@ -14,12 +14,19 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto # FIXME: This workflow has dependencies on scripts in the balena-yocto-scripts repository # which is pinned separately as a submodule in the device repo. Expect some drift but try to retain compatibility. - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/revpi-connect-4.yml b/.github/workflows/revpi-connect-4.yml index 08ec080434..dd897bbaff 100644 --- a/.github/workflows/revpi-connect-4.yml +++ b/.github/workflows/revpi-connect-4.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/revpi-connect-s.yml b/.github/workflows/revpi-connect-s.yml index c26750613d..c0dcd2ab88 100644 --- a/.github/workflows/revpi-connect-s.yml +++ b/.github/workflows/revpi-connect-s.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/revpi-connect.yml b/.github/workflows/revpi-connect.yml index 4f3e055e9b..b25d6a84b2 100644 --- a/.github/workflows/revpi-connect.yml +++ b/.github/workflows/revpi-connect.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/revpi-core-3.yml b/.github/workflows/revpi-core-3.yml index ad52ff79dc..adb7bcd615 100644 --- a/.github/workflows/revpi-core-3.yml +++ b/.github/workflows/revpi-core-3.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/rockpi-4b-rk3399.yml b/.github/workflows/rockpi-4b-rk3399.yml index 223fe02887..8b0672d14d 100644 --- a/.github/workflows/rockpi-4b-rk3399.yml +++ b/.github/workflows/rockpi-4b-rk3399.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/surface-go.yml b/.github/workflows/surface-go.yml index 52e296fb6c..5155cc72d5 100644 --- a/.github/workflows/surface-go.yml +++ b/.github/workflows/surface-go.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/surface-pro-6.yml b/.github/workflows/surface-pro-6.yml index 8133e1d8de..cb3df7d33e 100644 --- a/.github/workflows/surface-pro-6.yml +++ b/.github/workflows/surface-pro-6.yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while diff --git a/.github/workflows/var-som-mx6..yml b/.github/workflows/var-som-mx6..yml index 4a46badf04..66f60ca9c2 100644 --- a/.github/workflows/var-som-mx6..yml +++ b/.github/workflows/var-som-mx6..yml @@ -14,10 +14,17 @@ on: # ESR branches glob pattern - "[0-9]+.[0-9]+.x" +permissions: + id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token + actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass + pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals. + packages: read + contents: read + jobs: yocto: name: Yocto - uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@2543e49b79e8161d5d2d9f4625ac70101594cd76 # v1.27.10 + uses: balena-os/balena-yocto-scripts/.github/workflows/yocto-build-deploy.yml@master # Prevent duplicate workflow executions for pull_request (PR) and pull_request_target (PRT) events. # Both PR and PRT will be triggered for the same pull request, whether it is internal or from a fork. # This condition will prevent the workflow from running twice for the same pull request while