diff --git a/.github/workflows/build-and-publish.yml b/.github/workflows/build-and-publish.yml index fb8aba04b..6be732e8e 100644 --- a/.github/workflows/build-and-publish.yml +++ b/.github/workflows/build-and-publish.yml @@ -11,8 +11,9 @@ jobs: cd-job: name: Continuous Delivery runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - name: SCM Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 11673c959..835095da3 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -10,10 +10,14 @@ jobs: check-tag-version-job: name: Check Release Tag uses: ./.github/workflows/check-release-tag.yml + permissions: + contents: read cd-job: name: Continuous Delivery uses: ./.github/workflows/build-and-publish.yml + permissions: + contents: write secrets: PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} @@ -21,4 +25,8 @@ jobs: needs: [ cd-job ] name: Publish Documentation uses: ./.github/workflows/gh-pages.yml + permissions: + contents: read + pages: write + id-token: write diff --git a/.github/workflows/check-release-tag.yml b/.github/workflows/check-release-tag.yml index c0ff9a90b..8c4f4359d 100644 --- a/.github/workflows/check-release-tag.yml +++ b/.github/workflows/check-release-tag.yml @@ -1,14 +1,15 @@ name: Check Release Tag -on: workflow_call +on: + workflow_call: jobs: check-tag-version-job: - name: Check Tag Version runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 6d2475a6c..e7bda0a6f 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -8,7 +8,8 @@ jobs: Version-Check: name: Version runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -25,7 +26,8 @@ jobs: name: Docs needs: [ Version-Check ] runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -40,8 +42,9 @@ jobs: Changelog: name: Changelog Update Check runs-on: ubuntu-24.04 + permissions: + contents: read if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' }} - steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -55,11 +58,15 @@ jobs: build-matrix: name: Generate Build Matrix uses: ./.github/workflows/matrix-python.yml + permissions: + contents: read Lint: name: Linting (Python-${{ matrix.python-version }}) needs: [ Version-Check, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read strategy: fail-fast: false matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }} @@ -89,6 +96,8 @@ jobs: name: Type Checking (Python-${{ matrix.python-version }}) needs: [ Version-Check, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read strategy: fail-fast: false matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }} @@ -109,10 +118,11 @@ jobs: name: Security Checks (Python-${{ matrix.python-version }}) needs: [ Version-Check, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read strategy: fail-fast: false matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }} - steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -135,7 +145,8 @@ jobs: Format: name: Format Check runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -150,6 +161,8 @@ jobs: name: Unit-Tests (Python-${{ matrix.python-version }}) needs: [ Documentation, Lint, Type-Check, Security, Format, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} strategy: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f069e5fa4..a0dc570c7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -16,7 +16,11 @@ jobs: CI: uses: ./.github/workflows/merge-gate.yml secrets: inherit + permissions: + contents: read Metrics: needs: [ CI ] uses: ./.github/workflows/report.yml + permissions: + contents: read \ No newline at end of file diff --git a/.github/workflows/matrix-all.yml b/.github/workflows/matrix-all.yml index 7dabb1ddb..dc565241d 100644 --- a/.github/workflows/matrix-all.yml +++ b/.github/workflows/matrix-all.yml @@ -9,9 +9,9 @@ on: jobs: all_versions: - runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/matrix-exasol.yml b/.github/workflows/matrix-exasol.yml index ea9ca9282..db45a4262 100644 --- a/.github/workflows/matrix-exasol.yml +++ b/.github/workflows/matrix-exasol.yml @@ -9,9 +9,9 @@ on: jobs: exasol_versions: - runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/matrix-python.yml b/.github/workflows/matrix-python.yml index d29a85a47..5d105e1ce 100644 --- a/.github/workflows/matrix-python.yml +++ b/.github/workflows/matrix-python.yml @@ -9,9 +9,9 @@ on: jobs: python_versions: - + permissions: + contents: read runs-on: ubuntu-24.04 - steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/merge-gate.yml b/.github/workflows/merge-gate.yml index de9e80492..df2ff3996 100644 --- a/.github/workflows/merge-gate.yml +++ b/.github/workflows/merge-gate.yml @@ -8,15 +8,21 @@ jobs: fast-checks: name: Fast uses: ./.github/workflows/checks.yml + permissions: + contents: read slow-checks: name: Slow uses: ./.github/workflows/slow-checks.yml + permissions: + contents: read # This job ensures inputs have been executed successfully. approve-merge: name: Allow Merge runs-on: ubuntu-24.04 + permissions: + contents: read # If you need additional jobs to be part of the merge gate, add them below needs: [ fast-checks, slow-checks ] diff --git a/.github/workflows/pr-merge.yml b/.github/workflows/pr-merge.yml index 7a4fc86b1..e5503575b 100644 --- a/.github/workflows/pr-merge.yml +++ b/.github/workflows/pr-merge.yml @@ -11,11 +11,19 @@ jobs: ci-job: name: Checks uses: ./.github/workflows/checks.yml + permissions: + contents: read publish-docs: name: Publish Documentation uses: ./.github/workflows/gh-pages.yml + permissions: + contents: read + pages: write + id-token: write metrics: needs: [ ci-job ] uses: ./.github/workflows/report.yml + permissions: + contents: read diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml index 56c5c3499..8a5fb7df4 100644 --- a/.github/workflows/report.yml +++ b/.github/workflows/report.yml @@ -7,6 +7,8 @@ jobs: Report: runs-on: ubuntu-24.04 + permissions: + contents: read env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/slow-checks.yml b/.github/workflows/slow-checks.yml index a19747208..999d459aa 100644 --- a/.github/workflows/slow-checks.yml +++ b/.github/workflows/slow-checks.yml @@ -8,11 +8,15 @@ jobs: build-matrix: name: Generate Build Matrix uses: ./.github/workflows/matrix-all.yml + permissions: + contents: read Tests: name: Integration-Tests (Python-${{ matrix.python-version }}, Exasol-${{ matrix.exasol-version}}) needs: [ build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read # Even though the environment "manual-approval" will be created automatically, # it still needs to be configured to require interactive review. # See project settings on GitHub (Settings / Environments / manual-approval). diff --git a/doc/changes/unreleased.md b/doc/changes/unreleased.md index 5a03f01d8..c63b59f0b 100644 --- a/doc/changes/unreleased.md +++ b/doc/changes/unreleased.md @@ -1,9 +1,28 @@ # Unreleased +## Summary + +With #420, any GitHub repos using the PTB for **documentation** will also need to +reconfigure the GitHub Pages settings for each repo: +1. Go to the affected repo's GitHub page +2. Select 'Settings' +3. Scroll down & select 'Pages' +4. Within the 'Build and deployment' section, change 'Source' to 'GitHub Actions'. + +This should also create a 'github-pages' environment, if it does not yet exist. +For most repos using the PTB, the updating of the github pages only happens when a +PR is merged to main, so please check post-merge that it worked as expected. + +With #422, we have hardened the security in our GitHub workflows by explicitly +setting permissions to the default GitHub token. In a few repos who greatly differ +from the default PTB setup, this might lead to small issues which require the allowed +permissions to be increased for specific jobs. + ## βš’οΈ Refactorings * [#412](https://github.com/exasol/python-toolbox/issues/392): Refactored pre commit hook package version.py into nox task ## Security -* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages \ No newline at end of file +* [#420](https://github.com/exasol/python-toolbox/issues/420): Replaced 3rd party action with GitHub actions for gh-pages +* [#422](https://github.com/exasol/python-toolbox/issues/422): Set permissions within the GitHub workflows to restrict usage of the default GitHub token \ No newline at end of file diff --git a/doc/user_guide/getting_started.rst b/doc/user_guide/getting_started.rst index e2a36aa80..0dbf48231 100644 --- a/doc/user_guide/getting_started.rst +++ b/doc/user_guide/getting_started.rst @@ -179,7 +179,17 @@ forward, and you just can use the example *noxfile.py* below. .. _toolbox tasks: -7. Go πŸ₯œ +7. Setup for deploying documentation (optional) ++++++++++++++++++++++++++++++++++++++++++++++++ +Within the `gh-pages.yml`, we use the GitHub `upload-pages-artifact` and `deploy-pages` +actions. In order to properly deploy your pages, you'll need to reconfigure the GitHub +Pages settings for the repo: +1. Go to the affected repo's GitHub page +2. Select 'Settings' +3. Scroll down & select 'Pages' +4. Within the 'Build and deployment' section, change 'Source' to 'GitHub Actions'. + +8. Go πŸ₯œ +++++++++++++ You are ready to use the toolbox. With *nox -l* you can list all available tasks. diff --git a/exasol/toolbox/templates/github/workflows/build-and-publish.yml b/exasol/toolbox/templates/github/workflows/build-and-publish.yml index b0ef1acc0..5abcfe1be 100644 --- a/exasol/toolbox/templates/github/workflows/build-and-publish.yml +++ b/exasol/toolbox/templates/github/workflows/build-and-publish.yml @@ -11,8 +11,9 @@ jobs: cd-job: name: Continuous Delivery runs-on: ubuntu-24.04 + permissions: + contents: write steps: - - name: SCM Checkout uses: actions/checkout@v4 diff --git a/exasol/toolbox/templates/github/workflows/cd.yml b/exasol/toolbox/templates/github/workflows/cd.yml index 11673c959..835095da3 100644 --- a/exasol/toolbox/templates/github/workflows/cd.yml +++ b/exasol/toolbox/templates/github/workflows/cd.yml @@ -10,10 +10,14 @@ jobs: check-tag-version-job: name: Check Release Tag uses: ./.github/workflows/check-release-tag.yml + permissions: + contents: read cd-job: name: Continuous Delivery uses: ./.github/workflows/build-and-publish.yml + permissions: + contents: write secrets: PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} @@ -21,4 +25,8 @@ jobs: needs: [ cd-job ] name: Publish Documentation uses: ./.github/workflows/gh-pages.yml + permissions: + contents: read + pages: write + id-token: write diff --git a/exasol/toolbox/templates/github/workflows/check-release-tag.yml b/exasol/toolbox/templates/github/workflows/check-release-tag.yml index d62fe416d..5297a8f72 100644 --- a/exasol/toolbox/templates/github/workflows/check-release-tag.yml +++ b/exasol/toolbox/templates/github/workflows/check-release-tag.yml @@ -1,14 +1,15 @@ name: Check Release Tag -on: workflow_call +on: + workflow_call: jobs: check-tag-version-job: - name: Check Tag Version runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/exasol/toolbox/templates/github/workflows/checks.yml b/exasol/toolbox/templates/github/workflows/checks.yml index cf650ff62..456e7f395 100644 --- a/exasol/toolbox/templates/github/workflows/checks.yml +++ b/exasol/toolbox/templates/github/workflows/checks.yml @@ -4,11 +4,11 @@ on: workflow_call: jobs: - Version-Check: name: Version runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -31,7 +31,8 @@ jobs: name: Docs needs: [ Version-Check ] runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -46,12 +47,15 @@ jobs: build-matrix: name: Generate Build Matrix uses: ./.github/workflows/matrix-python.yml + permissions: + contents: read Changelog: name: Changelog Update Check runs-on: ubuntu-24.04 + permissions: + contents: read if: ${{ github.ref != 'refs/heads/main' && github.ref != 'refs/heads/master' }} - steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -66,10 +70,11 @@ jobs: name: Linting (Python-${{ matrix.python-version }}) needs: [ Version-Check, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read strategy: fail-fast: false matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }} - steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -95,6 +100,8 @@ jobs: name: Type Checking (Python-${{ matrix.python-version }}) needs: [ Version-Check, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read strategy: fail-fast: false matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }} @@ -115,6 +122,8 @@ jobs: name: Security Checks (Python-${{ matrix.python-version }}) needs: [ Version-Check, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read strategy: fail-fast: false matrix: ${{ fromJson(needs.build-matrix.outputs.matrix) }} @@ -141,7 +150,8 @@ jobs: Format: name: Format Check runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 @@ -156,6 +166,8 @@ jobs: name: Unit-Tests (Python-${{ matrix.python-version }}) needs: [ Documentation, Lint, Type-Check, Security, Format, build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} strategy: diff --git a/exasol/toolbox/templates/github/workflows/ci.yml b/exasol/toolbox/templates/github/workflows/ci.yml index f069e5fa4..e1b61aee9 100644 --- a/exasol/toolbox/templates/github/workflows/ci.yml +++ b/exasol/toolbox/templates/github/workflows/ci.yml @@ -8,7 +8,7 @@ on: - "main" - "master" schedule: - # β€œAt 00:00 on every 7th day-of-month from 1 through 31.” (https://crontab.guru) + # "At 00:00 on every 7th day-of-month from 1 through 31." (https://crontab.guru) - cron: "0 0 1/7 * *" jobs: @@ -16,7 +16,11 @@ jobs: CI: uses: ./.github/workflows/merge-gate.yml secrets: inherit + permissions: + contents: read Metrics: needs: [ CI ] uses: ./.github/workflows/report.yml + permissions: + contents: read diff --git a/exasol/toolbox/templates/github/workflows/matrix-all.yml b/exasol/toolbox/templates/github/workflows/matrix-all.yml index 8287d9e03..b85a27aca 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-all.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-all.yml @@ -9,9 +9,9 @@ on: jobs: all_versions: - runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml index 0af005569..741e156b5 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-exasol.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-exasol.yml @@ -9,9 +9,9 @@ on: jobs: exasol_versions: - runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/exasol/toolbox/templates/github/workflows/matrix-python.yml b/exasol/toolbox/templates/github/workflows/matrix-python.yml index db4fae2a3..76f0ce0cf 100644 --- a/exasol/toolbox/templates/github/workflows/matrix-python.yml +++ b/exasol/toolbox/templates/github/workflows/matrix-python.yml @@ -9,9 +9,9 @@ on: jobs: python_versions: - runs-on: ubuntu-24.04 - + permissions: + contents: read steps: - name: SCM Checkout uses: actions/checkout@v4 diff --git a/exasol/toolbox/templates/github/workflows/merge-gate.yml b/exasol/toolbox/templates/github/workflows/merge-gate.yml index de9e80492..df2ff3996 100644 --- a/exasol/toolbox/templates/github/workflows/merge-gate.yml +++ b/exasol/toolbox/templates/github/workflows/merge-gate.yml @@ -8,15 +8,21 @@ jobs: fast-checks: name: Fast uses: ./.github/workflows/checks.yml + permissions: + contents: read slow-checks: name: Slow uses: ./.github/workflows/slow-checks.yml + permissions: + contents: read # This job ensures inputs have been executed successfully. approve-merge: name: Allow Merge runs-on: ubuntu-24.04 + permissions: + contents: read # If you need additional jobs to be part of the merge gate, add them below needs: [ fast-checks, slow-checks ] diff --git a/exasol/toolbox/templates/github/workflows/pr-merge.yml b/exasol/toolbox/templates/github/workflows/pr-merge.yml index e4be0103a..3136b6b31 100644 --- a/exasol/toolbox/templates/github/workflows/pr-merge.yml +++ b/exasol/toolbox/templates/github/workflows/pr-merge.yml @@ -14,12 +14,19 @@ jobs: ci-job: name: Checks uses: ./.github/workflows/checks.yml - secrets: inherit + permissions: + contents: read publish-docs: name: Publish Documentation uses: ./.github/workflows/gh-pages.yml + permissions: + contents: read + pages: write + id-token: write metrics: needs: [ ci-job ] uses: ./.github/workflows/report.yml + permissions: + contents: read diff --git a/exasol/toolbox/templates/github/workflows/report.yml b/exasol/toolbox/templates/github/workflows/report.yml index bf23c7d57..64db815c0 100644 --- a/exasol/toolbox/templates/github/workflows/report.yml +++ b/exasol/toolbox/templates/github/workflows/report.yml @@ -7,6 +7,8 @@ jobs: report: runs-on: ubuntu-24.04 + permissions: + contents: read env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/exasol/toolbox/templates/github/workflows/slow-checks.yml b/exasol/toolbox/templates/github/workflows/slow-checks.yml index 3b6019011..02b047e73 100644 --- a/exasol/toolbox/templates/github/workflows/slow-checks.yml +++ b/exasol/toolbox/templates/github/workflows/slow-checks.yml @@ -8,11 +8,15 @@ jobs: build-matrix: name: Generate Build Matrix uses: ./.github/workflows/matrix-all.yml + permissions: + contents: read Tests: name: Integration-Tests (Python-${{ matrix.python-version }}, Exasol-${{ matrix.exasol-version}}) needs: [ build-matrix ] runs-on: ubuntu-24.04 + permissions: + contents: read # Even though the environment "manual-approval" will be created automatically, # it still needs to be configured to require interactive review. # See project settings on GitHub (Settings / Environments / manual-approval).