3 years ago · 3f4efedd23
--- a/.github/workflows/backport-bot.yml
+++ b/.github/workflows/backport-bot.yml
@@ -6,9 +6,15 @@ on:
 
				   push:
			
 
				     branches:
			
 
				       - '*.x'
			
 
				+permissions:
			
 
				+  contents: read
			
 
				 jobs:
			
 
				   build:
			
 
				     runs-on: ubuntu-latest
			
 
				+    permissions:
			
 
				+      contents: read
			
 
				+      issues: write
			
 
				+      pull-requests: write
			
 
				     steps:
			
 
				       - uses: actions/checkout@v3
			
 
				       - uses: actions/setup-java@v3
			
--- a/.github/workflows/clean_build_artifacts.yml
+++ b/.github/workflows/clean_build_artifacts.yml
@@ -8,9 +8,9 @@ permissions:
 
				 
			
 
				 jobs:
			
 
				   main:
			
 
				+    runs-on: ubuntu-latest
			
 
				     permissions:
			
 
				       contents: none
			
 
				-    runs-on: ubuntu-latest
			
 
				     steps:
			
 
				       - name: Delete artifacts in cron job
			
 
				         env:
			
--- a/.github/workflows/continuous-integration-workflow.yml
+++ b/.github/workflows/continuous-integration-workflow.yml
@@ -20,6 +20,9 @@ env:
 
				   ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
			
 
				   RUN_JOBS: ${{ github.repository == 'spring-projects/spring-security' }}
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   prerequisites:
			
 
				     name: Pre-requisites for building
			
@@ -233,11 +236,11 @@ jobs:
 
				           DOCS_SSH_KEY: ${{ secrets.DOCS_SSH_KEY }}
			
 
				           DOCS_HOST: ${{ secrets.DOCS_HOST }}
			
 
				   perform_release:
			
 
				-    permissions:
			
 
				-      contents: write  # for Git to git push
			
 
				     name: Perform release
			
 
				     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
			
 
				     runs-on: ubuntu-latest
			
 
				+    permissions:
			
 
				+      contents: write
			
 
				     timeout-minutes: 90
			
 
				     if: ${{ !endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
			
 
				     env:
			
@@ -326,6 +329,9 @@ jobs:
 
				     name: Perform post-release
			
 
				     needs: [prerequisites, deploy_artifacts, deploy_docs, deploy_schema]
			
 
				     runs-on: ubuntu-latest
			
 
				+    permissions:
			
 
				+      contents: read
			
 
				+      issues: write
			
 
				     timeout-minutes: 90
			
 
				     if: ${{ endsWith(needs.prerequisites.outputs.project_version, '-SNAPSHOT') }}
			
 
				     env:
			
@@ -341,6 +347,8 @@ jobs:
 
				     needs: [build_jdk_17, snapshot_tests, check_samples, check_tangles, deploy_artifacts, deploy_docs, deploy_schema, perform_release, perform_post_release]
			
 
				     if: failure()
			
 
				     runs-on: ubuntu-latest
			
 
				+    permissions:
			
 
				+      actions: read
			
 
				     steps:
			
 
				       - name: Send Slack message
			
 
				         # Workaround while waiting for Gamesight/slack-workflow-status#38 to be fixed
			
--- a/.github/workflows/milestone-spring-releasetrain.yml
+++ b/.github/workflows/milestone-spring-releasetrain.yml
@@ -5,12 +5,14 @@ on:
 
				 env:
			
 
				   DUE_ON: ${{ github.event.milestone.due_on }}
			
 
				   TITLE: ${{ github.event.milestone.title }}
			
 
				+permissions:
			
 
				+  contents: read
			
 
				 jobs:
			
 
				   spring-releasetrain-checks:    
			
 
				-    permissions:
			
 
				-      contents: none
			
 
				     name: Check DueOn is on a Release Date
			
 
				     runs-on: ubuntu-latest
			
 
				+    permissions:
			
 
				+      contents: none
			
 
				     steps:
			
 
				     - name: Print Milestone Being Checked
			
 
				       run: echo "Validating DueOn '$DUE_ON' for milestone '$TITLE'"
			
@@ -25,6 +27,8 @@ jobs:
 
				     needs: [spring-releasetrain-checks]
			
 
				     if: failure()
			
 
				     runs-on: ubuntu-latest
			
 
				+    permissions:
			
 
				+      actions: read
			
 
				     steps:
			
 
				       - name: Send Slack message
			
 
				         uses: Gamesight/slack-workflow-status@v1.0.1
			
--- a/.github/workflows/release-scheduler.yml
+++ b/.github/workflows/release-scheduler.yml
@@ -5,6 +5,9 @@ on:
 
				     - cron: '15 15 * * MON' # Every Monday at 3:15pm UTC
			
 
				   workflow_dispatch:
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   dispatch_scheduled_releases:
			
 
				     name: Dispatch scheduled releases
			
--- a/.github/workflows/update-scheduled-release-version.yml
+++ b/.github/workflows/update-scheduled-release-version.yml
@@ -9,11 +9,17 @@ env:
 
				   GRADLE_ENTERPRISE_CACHE_PASSWORD: ${{ secrets.GRADLE_ENTERPRISE_CACHE_PASSWORD }}
			
 
				   GRADLE_ENTERPRISE_SECRET_ACCESS_KEY: ${{ secrets.GRADLE_ENTERPRISE_SECRET_ACCESS_KEY }}
			
 
				 
			
 
				+permissions:
			
 
				+  contents: read
			
 
				+
			
 
				 jobs:
			
 
				   update_scheduled_release_version:
			
 
				     name: Initiate Release If Scheduled
			
 
				     if: ${{ github.repository == 'spring-projects/spring-security' }}
			
 
				     runs-on: ubuntu-latest
			
 
				+    permissions:
			
 
				+      contents: read
			
 
				+      actions: read
			
 
				     steps:
			
 
				       - id: checkout-source
			
 
				         name: Checkout Source Code