fix: various workflow updates (GoogleCloudPlatform#3315)

* fix: updating checkout version and various workflow permissions * fix: other workflow updates
renovate-bot · Jun 30, 2023 · cfc5c03 · cfc5c03
1 parent da4e83f
commit cfc5c03
Show file tree

Hide file tree

Showing 11 changed files with 16 additions and 28 deletions.
diff --git a/.github/workflows/ai-platform-snippets.yaml b/.github/workflows/ai-platform-snippets.yaml
@@ -37,8 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:

diff --git a/.github/workflows/automl.yaml b/.github/workflows/automl.yaml
@@ -37,8 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -25,7 +25,7 @@ jobs:
       id-token: 'write'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3.5.3
       - uses: actions/setup-node@v3
         with:
           node-version: 14
@@ -37,7 +37,7 @@ jobs:
       id-token: 'write'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3.5.3
       - uses: JustinBeckwith/linkinator-action@v1
         with:
           paths: "**/*.md"
@@ -48,5 +48,5 @@ jobs:
       id-token: 'write'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3.5.3
       - run: ./.github/workflows/utils/region-tags-tests.sh
diff --git a/.github/workflows/dialogflow-cx.yaml b/.github/workflows/dialogflow-cx.yaml
@@ -40,8 +40,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:

diff --git a/.github/workflows/functions-slack.yaml b/.github/workflows/functions-slack.yaml
@@ -34,10 +34,8 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
-
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest
     timeout-minutes: 120

diff --git a/.github/workflows/iam-deny.yaml b/.github/workflows/iam-deny.yaml
@@ -34,10 +34,8 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
-      id-token: 'write'
-
+      contents: 'read'
+      id-token: 'write' 
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest
     timeout-minutes: 120

diff --git a/.github/workflows/security-center-snippets.yaml b/.github/workflows/security-center-snippets.yaml
@@ -34,8 +34,7 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest

diff --git a/.github/workflows/storagetransfer.yaml b/.github/workflows/storagetransfer.yaml
@@ -34,8 +34,7 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest

diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -28,8 +28,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:

diff --git a/.github/workflows/utils/ci-secrets.yaml.njk b/.github/workflows/utils/ci-secrets.yaml.njk
@@ -37,17 +37,16 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 120
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     defaults:
       run:
         working-directory: '{{ path }}'
     steps:
-    - uses: actions/checkout@v3.3.0
+    - uses: actions/checkout@v3.5.3
       with:
         ref: ${% raw %}{{github.event.pull_request.head.sha}}{% endraw %}
-    - uses: 'google-github-actions/auth@v1.0.0'
+    - uses: 'google-github-actions/auth@v1.1.1'
       with:
         workload_identity_provider: 'projects/1046198160504/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider'
         service_account: 'kokoro-system-test@long-door-651.iam.gserviceaccount.com'

diff --git a/.github/workflows/vision.yaml b/.github/workflows/vision.yaml
@@ -34,8 +34,7 @@ on:
 jobs:
   test:
     permissions:
-      contents: 'write'
-      pull-requests: 'write'
+      contents: 'read'
       id-token: 'write'
     if: github.event.action != 'labeled' || github.event.label.name == 'actions:force-run'
     runs-on: ubuntu-latest