Ci/zizmor#693
Open
StaticRocket wants to merge 10 commits intoTexasInstruments:masterfrom
Open
Conversation
No reason to keep any credentials around from this step. Signed-off-by: Randolph Sapp <rs@ti.com>
Use the ref name environment variable instead of the ref name directly to prevent any unusual command injection. Signed-off-by: Randolph Sapp <rs@ti.com>
Clamp the workflow permissions to the minimum values required. Individual jobs can request other permissions if they need them. Signed-off-by: Randolph Sapp <rs@ti.com>
Use env vars to pass values into scripts to prevent possible template injection issues. Signed-off-by: Randolph Sapp <rs@ti.com>
Remove any permissions not explicitly needed at the moment. Add inline comments to explain the use of any remaining unusual workflow permissions. Signed-off-by: Randolph Sapp <rs@ti.com>
Add a description/name for the collect job in the build workflow. Signed-off-by: Randolph Sapp <rs@ti.com>
There can only be one deployment at any one time and it has to be a full snapshot. No piecemeal updates. Might as well use a concurrency limit to kill any other jobs that get in our way. Not that there ever should be any, considering the way this job is launched currently. Signed-off-by: Randolph Sapp <rs@ti.com>
Interactions with tags and publishing container images should be purely sequential. Limit job concurrency to prevent any issues with multiple rapid updates to docker components. Signed-off-by: Randolph Sapp <rs@ti.com>
Assign concurrency groups for PR based workflows to prevent issues with users submitting multiple pushes in a short time. Signed-off-by: Randolph Sapp <rs@ti.com>
The commit-check and component-owners workflows are currently ready to run on all branches. Remove the restraints for these two workflows. Other workflows will need to be adjusted before they can be released. Signed-off-by: Randolph Sapp <rs@ti.com>
StaticRocket
requested review from
VeeruPrudhvi,
cshilwant,
gehariprasath,
jeevantelukula,
praneethbajjuri and
uditkumarti
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
ci: remove branch check for ready workflows
The commit-check and component-owners workflows are currently ready to run on
all branches. Remove the restraints for these two workflows.
Other workflows will need to be adjusted before they can be released.
Signed-off-by: Randolph Sapp rs@ti.com
ci: assign workflow concurrency groups for prs
Assign concurrency groups for PR based workflows to prevent issues with users
submitting multiple pushes in a short time.
Signed-off-by: Randolph Sapp rs@ti.com
ci(docker): add concurrency group for docker
Interactions with tags and publishing container images should be purely
sequential. Limit job concurrency to prevent any issues with multiple rapid
updates to docker components.
Signed-off-by: Randolph Sapp rs@ti.com
ci(deploy): add a pages concurrency group
There can only be one deployment at any one time and it has to be a full
snapshot. No piecemeal updates. Might as well use a concurrency limit to kill
any other jobs that get in our way. Not that there ever should be any,
considering the way this job is launched currently.
Signed-off-by: Randolph Sapp rs@ti.com
ci(build): add a name for the collect job
Add a description/name for the collect job in the build workflow.
Signed-off-by: Randolph Sapp rs@ti.com
ci: trim and document unusual permissions
Remove any permissions not explicitly needed at the moment. Add inline
comments to explain the use of any remaining unusual workflow permissions.
Signed-off-by: Randolph Sapp rs@ti.com
ci: use env vars instead of template values
Use env vars to pass values into scripts to prevent possible template
injection issues.
Signed-off-by: Randolph Sapp rs@ti.com
ci: clamp permissions for each workflow
Clamp the workflow permissions to the minimum values required. Individual jobs
can request other permissions if they need them.
Signed-off-by: Randolph Sapp rs@ti.com
ci(build): use ref name env variable
Use the ref name environment variable instead of the ref name directly to
prevent any unusual command injection.
Signed-off-by: Randolph Sapp rs@ti.com
ci: disable persist-credentials on checkout
No reason to keep any credentials around from this step.
Signed-off-by: Randolph Sapp rs@ti.com