Add GitHub Monitor action to all jobs

semgr8ns · Aug 5, 2024 · da370b8 · da370b8
1 parent 0d60025
commit da370b8
Show file tree

Hide file tree

Showing 17 changed files with 105 additions and 0 deletions.
diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
@@ -28,6 +28,9 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      with:
+        config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Install Cosign
       uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 (probably)
     - name: Set up Docker buildx

diff --git a/.github/actions/context/action.yaml b/.github/actions/context/action.yaml
@@ -46,6 +46,9 @@ outputs:
 runs:
   using: "composite"
   steps:
+    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      with:
+        config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Get chart version
       id: get_chart_version
       uses: mikefarah/yq@47f4f8c7939f887e851b35f14def6741b8f5396e # v4.31.2

diff --git a/.github/actions/grype/action.yaml b/.github/actions/grype/action.yaml
@@ -20,6 +20,9 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      with:
+        config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Login with registry
       if: inputs.registry != ''
       uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0

diff --git a/.github/actions/k3s-cluster/action.yaml b/.github/actions/k3s-cluster/action.yaml
@@ -27,6 +27,9 @@ outputs:
 runs:
   using: "composite"
   steps:
+    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      with:
+        config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Setup k3s ${{ inputs.k3s-channel }}
       run: |
         curl -sfL https://get.k3s.io | INSTALL_K3S_CHANNEL="${{ inputs.k3s-channel }}" sh -s -

diff --git a/.github/actions/k8s-version-config/action.yaml b/.github/actions/k8s-version-config/action.yaml
@@ -7,6 +7,9 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      with:
+        config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Install yq and bash
       run: |
         sudo snap install yq

diff --git a/.github/actions/trivy-config/action.yaml b/.github/actions/trivy-config/action.yaml
@@ -7,6 +7,9 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      with:
+        config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Create reports folder
       run: |
         mkdir reports

diff --git a/.github/actions/trivy-image/action.yaml b/.github/actions/trivy-image/action.yaml
@@ -20,6 +20,9 @@ inputs:
 runs:
   using: "composite"
   steps:
+    - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+      with:
+        config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Login with registry
       if: inputs.registry != ''
       uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0

diff --git a/.github/workflows/.reusable-build.yml b/.github/workflows/.reusable-build.yml
@@ -62,6 +62,9 @@ jobs:
       build_image: ${{ steps.get_context.outputs.build_image }}
       build_labels: ${{ steps.get_context.outputs.build_labels }}
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Get context
@@ -78,6 +81,9 @@ jobs:
       id-token: write
       packages: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Build semgr8s

diff --git a/.github/workflows/.reusable-ci.yml b/.github/workflows/.reusable-ci.yml
@@ -63,6 +63,9 @@ jobs:
       skip_integration_tests: ${{ steps.conditionals.outputs.skip_integration_tests }}
       output_type: ${{ steps.conditionals.outputs.output_type }}
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: CI conditionals
         id: conditionals
         run: |

diff --git a/.github/workflows/.reusable-cleanup-registry.yml b/.github/workflows/.reusable-cleanup-registry.yml
@@ -9,6 +9,9 @@ jobs:
   cleanup-registry:
     runs-on: ubuntu-latest
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Cleanup test images
         uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0
         with:

diff --git a/.github/workflows/.reusable-compliance.yml b/.github/workflows/.reusable-compliance.yml
@@ -21,6 +21,9 @@ jobs:
       pull-requests: write
       security-events: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
@@ -48,6 +51,9 @@ jobs:
       contents: write
       pull-requests: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Review
@@ -62,6 +68,9 @@ jobs:
       inputs.skip != 'all'
     permissions: {}
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:

diff --git a/.github/workflows/.reusable-docs.yml b/.github/workflows/.reusable-docs.yml
@@ -19,6 +19,9 @@ jobs:
     permissions:
       contents: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:

diff --git a/.github/workflows/.reusable-integration-test.yml b/.github/workflows/.reusable-integration-test.yml
@@ -45,6 +45,9 @@ jobs:
             "audit",
           ]
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login with registry
@@ -101,6 +104,9 @@ jobs:
             "semgrep_login",
           ]
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login with registry
@@ -156,6 +162,9 @@ jobs:
             "v1.30",
           ]
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login with registry
@@ -211,6 +220,9 @@ jobs:
             "v1.26",
           ]
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Login with registry

diff --git a/.github/workflows/.reusable-sast.yml b/.github/workflows/.reusable-sast.yml
@@ -24,6 +24,9 @@ jobs:
     permissions:
       security-events: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install python
@@ -59,6 +62,9 @@ jobs:
       inputs.skip != 'non-required' &&
       inputs.skip != 'all'
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install python
@@ -88,6 +94,9 @@ jobs:
     permissions:
       security-events: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Render Helm charts
@@ -128,6 +137,9 @@ jobs:
       security-events: write
       pull-requests: read
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
     - name: Checkout repository
       uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
     - name: Initialize CodeQL
@@ -146,6 +158,9 @@ jobs:
     permissions:
       security-events: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Scan
@@ -178,6 +193,9 @@ jobs:
     permissions:
       security-events: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Scan
@@ -208,6 +226,9 @@ jobs:
       (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'all'
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install python
@@ -240,6 +261,9 @@ jobs:
     env:
       SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Scan
@@ -264,6 +288,9 @@ jobs:
     permissions:
       security-events: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Run Trivy

diff --git a/.github/workflows/.reusable-sca.yml b/.github/workflows/.reusable-sca.yml
@@ -40,6 +40,9 @@ jobs:
     container:
       image: docker:stable
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Run
@@ -63,6 +66,9 @@ jobs:
     container:
       image: docker:stable
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Run
@@ -85,6 +91,9 @@ jobs:
       packages: read
       contents: write
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Login with registry
         if: inputs.registry != ''
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0

diff --git a/.github/workflows/.reusable-unit-test.yml b/.github/workflows/.reusable-unit-test.yml
@@ -18,6 +18,9 @@ jobs:
     runs-on: ubuntu-latest
     if: inputs.skip != 'all'
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Set up Docker buildx
@@ -58,6 +61,9 @@ jobs:
     if: |
       inputs.skip != 'all'
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install python
@@ -87,6 +93,9 @@ jobs:
     if: |
       inputs.skip != 'all'
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Install python

diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -18,5 +18,8 @@ jobs:
     container:
       image: semgrep/semgrep
     steps:
+      - uses: GitHubSecurityLab/actions-permissions/monitor@v1
+        with:
+          config: ${{ vars.PERMISSIONS_CONFIG }}
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - run: semgrep ci