Skip to content

🌱 harden git workflows#2512

Merged
rahulait merged 1 commit into
NVIDIA:mainfrom
PrashantR30:main
Jun 26, 2026
Merged

🌱 harden git workflows#2512
rahulait merged 1 commit into
NVIDIA:mainfrom
PrashantR30:main

Conversation

@PrashantR30

@PrashantR30 PrashantR30 commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

This PR hardens GitHub Actions workflows by disabling persisted Git credentials on checkout steps and explicitly scoping workflow permissions to the minimum required access.

The changes reduce the risk of unintended GITHUB_TOKEN exposure to later workflow steps while preserving existing CI behavior. Workflows that only read repository contents now use read-only permissions, while image publishing workflows keep the required package write permissions.

Checklist

  • No secrets, sensitive information, or unrelated changes
  • removed actions: write as the workflow only uses actions/stale to label, comment on, and close issues and does not appear to require permissions to manage workflow runs or other GitHub Actions resources.
  • Lint checks passing (make lint)
  • Generated assets in-sync (make validate-generated-assets)
  • Go mod artifacts in-sync (make validate-modules)
  • Test cases are added for new code paths

Testing

Validated the workflow YAML changes manually.
No application code was changed. This PR only updates GitHub Actions workflow configuration for credential and permission hardening, but still we let the test run to validate if the workflow operation works.

@copy-pr-bot

copy-pr-bot Bot commented Jun 2, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@PrashantR30 PrashantR30 force-pushed the main branch 3 times, most recently from 0936b38 to c53cfa8 Compare June 3, 2026 10:36
@rahulait

rahulait commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Thanks @PrashantR30 for this change. Is there a specific reason why a subset of workflows were updated? For example, coverage.yaml, release-images-list.yaml, etc were not touched.

rajatchopra
rajatchopra requested changes Jun 10, 2026
View reviewed changes
Comment thread .github/workflows/image-builds.yaml Outdated
@PrashantR30 PrashantR30 force-pushed the main branch 4 times, most recently from 0ada2f6 to fdce937 Compare June 15, 2026 14:41
rahulait
rahulait reviewed Jun 15, 2026
View reviewed changes
Comment thread .github/workflows/release.yaml
@PrashantR30 PrashantR30 force-pushed the main branch 5 times, most recently from af39373 to 27c9873 Compare June 23, 2026 18:16
@PrashantR30 PrashantR30 requested a review from rajatchopra June 23, 2026 18:17
@tariq1890

tariq1890 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

/ok to test 27c9873

@tariq1890

tariq1890 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

@PrashantR30 Please note the following the github actions CI error below

The workflow is not valid. .github/workflows/ci.yaml (Line: 37, Col: 3): Error calling workflow 'NVIDIA/gpu-operator/.github/workflows/code-scanning.yaml@27c9873'. The nested job 'analyze' is requesting 'contents: read', but is only allowed 'contents: none'.

tariq1890
tariq1890 reviewed Jun 23, 2026
View reviewed changes
Comment thread .github/workflows/code-scanning.yaml Outdated
@tariq1890

tariq1890 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

/ok to test 14a4bdb

@tariq1890

tariq1890 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

@PrashantR30 Can you sign your commits?

@PrashantR30

PrashantR30 commented Jun 24, 2026

Copy link
Copy Markdown
Contributor Author

@PrashantR30 Can you sign your commits?

Commit was signed.

@PrashantR30

PrashantR30 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor Author

Hello @rahulait, @tariq1890 and @rajatchopra , please review.

rahulait
rahulait reviewed Jun 26, 2026
View reviewed changes
Comment thread .github/workflows/stale.yaml
rahulait
rahulait reviewed Jun 26, 2026
View reviewed changes
Comment thread .github/workflows/forward-compatibility.yaml
@PrashantR30 PrashantR30 force-pushed the main branch 2 times, most recently from 2aa6159 to d136a2f Compare June 26, 2026 13:48
@PrashantR30
harden git workflows
b50451e 
Signed-off-by: PrashantR30 <pramhit@mirantis.com>
@rahulait

rahulait commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

/ok to test b50451e

@rahulait

rahulait commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

@rajatchopra can you provide your review as well?

@rahulait rahulait requested a review from tariq1890 June 26, 2026 19:53
rajatchopra
rajatchopra approved these changes Jun 26, 2026
View reviewed changes

@rajatchopra rajatchopra left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@rahulait rahulait merged commit a37981b into NVIDIA:main Jun 26, 2026
36 of 37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rajatchopra rajatchopra rajatchopra approved these changes
@tariq1890 tariq1890 tariq1890 approved these changes
@rahulait rahulait rahulait approved these changes
@cdesiniotis cdesiniotis Awaiting requested review from cdesiniotis cdesiniotis is a code owner
@karthikvetrivel karthikvetrivel Awaiting requested review from karthikvetrivel karthikvetrivel is a code owner
@rajathagasthya rajathagasthya Awaiting requested review from rajathagasthya rajathagasthya is a code owner
@shivamerla shivamerla Awaiting requested review from shivamerla shivamerla is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@PrashantR30 @rahulait @tariq1890 @rajatchopra