diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 80c998bb4b..f155469d6a 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -44,7 +44,6 @@ jobs: runs-on: ubuntu-22.04 permissions: contents: read # for docker/build-push-action to read repo content - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results id-token: write # for OIDC login to GCR packages: write # for docker/build-push-action to push to GHCR pull-requests: write # for scout report diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc2fc330f6..fdd6cdba4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -306,7 +306,6 @@ jobs: permissions: contents: read actions: read - security-events: write id-token: write packages: write pull-requests: write # for scout report @@ -331,7 +330,6 @@ jobs: full-build: ${{ inputs.force && inputs.force || false }} permissions: contents: read - security-events: write id-token: write pull-requests: write # for scout report secrets: inherit @@ -356,8 +354,7 @@ jobs: full-build: ${{ inputs.force && inputs.force || false }} permissions: contents: read - security-events: write - id-token: write + id-token: write # gcr login pull-requests: write # for scout report secrets: inherit diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 829e8a3dfd..612316ee66 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -77,5 +77,17 @@ repos: hooks: - id: markdownlint-cli2 + - repo: https://github.com/rhysd/actionlint + rev: v1.7.1 + hooks: + - id: actionlint + name: Lint GitHub Actions workflow files + description: Runs actionlint to lint GitHub Actions workflow files + language: golang + types: ["yaml"] + files: ^\.github/workflows/ + entry: actionlint + args: ["-shellcheck",""] + ci: skip: [golang-diff, golangci-lint, check-jsonschema, markdownlint-cli2]