From 6318d3bb76dd3e63f1cb60a5aefbc0d18c499a49 Mon Sep 17 00:00:00 2001 From: Patrick St-Louis Date: Tue, 24 Feb 2026 12:28:43 -0500 Subject: [PATCH 1/2] ci: scope permissions to jobs and fix workflow syntax Signed-off-by: Patrick St-Louis --- .github/actions/run-integration-tests/action.yml | 5 +++-- .github/workflows/bdd-integration-tests.yml | 6 ++++-- .github/workflows/bdd-interop-tests.yml | 9 ++++----- .github/workflows/codeql.yml | 6 ++---- .github/workflows/format.yml | 11 +++++------ .github/workflows/nightly.yml | 13 ++++++++----- .github/workflows/pip-audit.yml | 5 ++--- .github/workflows/pr-tests.yml | 13 ++++++++----- .github/workflows/publish-docs.yml | 3 --- .github/workflows/publish.yml | 3 --- .github/workflows/pythonpublish.yml | 4 +--- .github/workflows/scenario-integration-tests.yml | 9 ++++----- .github/workflows/scorecard.yml | 4 +++- .github/workflows/snyk-lts.yml | 3 --- .github/workflows/snyk.yml | 3 --- .github/workflows/sonar-merge-main.yml | 7 +++---- .github/workflows/sonar-pr.yml | 9 ++++----- .github/workflows/tag-recreate-lts.yml | 8 ++++---- 18 files changed, 55 insertions(+), 66 deletions(-) diff --git a/.github/actions/run-integration-tests/action.yml b/.github/actions/run-integration-tests/action.yml index f28e4c2b1a..8405e887a5 100644 --- a/.github/actions/run-integration-tests/action.yml +++ b/.github/actions/run-integration-tests/action.yml @@ -19,10 +19,11 @@ runs: steps: - name: run-integration-tests-acapy # to run with external ledger and tails server run as follows (and remove the ledger and tails actions from the workflow): - # run: LEDGER_URL=https://test.bcovrin.vonx.io PUBLIC_TAILS_URL=https://tails.vonx.io ./run_bdd ${{ inputs.TEST_SCOPE }} - run: ./run_bdd ${{ inputs.TEST_SCOPE }} + # run: LEDGER_URL=... PUBLIC_TAILS_URL=... ./run_bdd $TEST_SCOPE + run: ./run_bdd $TEST_SCOPE shell: bash env: + TEST_SCOPE: ${{ inputs.TEST_SCOPE }} LEDGER_URL: ${{ inputs.IN_LEDGER_URL }} PUBLIC_TAILS_URL: ${{ inputs.IN_PUBLIC_TAILS_URL }} LOG_LEVEL: warning diff --git a/.github/workflows/bdd-integration-tests.yml b/.github/workflows/bdd-integration-tests.yml index caad0ad995..02fe8e54ff 100644 --- a/.github/workflows/bdd-integration-tests.yml +++ b/.github/workflows/bdd-integration-tests.yml @@ -10,8 +10,6 @@ on: types: [opened, synchronize, reopened, ready_for_review] permissions: - contents: read - pull-requests: read checks: write concurrency: @@ -25,6 +23,10 @@ defaults: jobs: test: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + checks: write # Run on openwallet-foundation and non-draft PRs or on non-PR events if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request')) outputs: diff --git a/.github/workflows/bdd-interop-tests.yml b/.github/workflows/bdd-interop-tests.yml index ceb64bc966..03245e0e62 100644 --- a/.github/workflows/bdd-interop-tests.yml +++ b/.github/workflows/bdd-interop-tests.yml @@ -9,11 +9,6 @@ on: - main types: [opened, synchronize, reopened, ready_for_review] -permissions: - contents: read - pull-requests: read - checks: write - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -25,6 +20,10 @@ defaults: jobs: test: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + checks: write # Run on openwallet-foundation and non-draft PRs or on non-PR events if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request')) outputs: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8c5ff4a6f6..9e43638106 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,14 +1,11 @@ name: "Code scanning - action" -"on": +on: push: pull_request: schedule: - cron: "0 19 * * 0" -permissions: - contents: read - jobs: CodeQL-Build: # CodeQL runs on ubuntu-latest and windows-latest @@ -16,6 +13,7 @@ jobs: if: (github.event_name == 'pull_request' && github.repository == 'openwallet-foundation/acapy') || (github.event_name != 'pull_request') permissions: + contents: read security-events: write steps: diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index c6f69a6f62..258a348d80 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -1,17 +1,16 @@ name: Ruff Code Formatter and Linting Check -"on": +on: pull_request: branches: - main -permissions: - contents: read - pull-requests: read - checks: write - jobs: lint: + permissions: + contents: read + pull-requests: read + checks: write name: lint runs-on: ubuntu-latest steps: diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 4e2c769297..71e4639049 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -5,15 +5,14 @@ on: - cron: "0 0 * * *" workflow_dispatch: -permissions: - contents: read - pull-requests: read - checks: write - jobs: tests: if: github.repository_owner == 'openwallet-foundation' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + checks: write strategy: fail-fast: false matrix: @@ -34,6 +33,9 @@ jobs: setup_and_check_pub: name: Setup Publish runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read outputs: commits_today: ${{ steps.commits.outputs.commits_today }} date: ${{ steps.date.outputs.date }} @@ -61,6 +63,7 @@ jobs: tag: ["nightly-${{needs.setup_and_check_pub.outputs.date}}", nightly] permissions: contents: read + pull-requests: read packages: write with: tag: ${{ matrix.tag }} diff --git a/.github/workflows/pip-audit.yml b/.github/workflows/pip-audit.yml index 5efd309f57..8d417c3205 100644 --- a/.github/workflows/pip-audit.yml +++ b/.github/workflows/pip-audit.yml @@ -3,12 +3,11 @@ name: pip-audit on: workflow_dispatch: -permissions: - contents: read - jobs: selftest: runs-on: ubuntu-latest + permissions: + contents: read if: (github.event_name == 'pull_request' && github.repository == 'openwallet-foundation/acapy') || (github.event_name != 'pull_request') steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 diff --git a/.github/workflows/pr-tests.yml b/.github/workflows/pr-tests.yml index 12542f60a8..2bb5457d98 100644 --- a/.github/workflows/pr-tests.yml +++ b/.github/workflows/pr-tests.yml @@ -3,11 +3,6 @@ name: PR Tests on: pull_request: -permissions: - contents: read - pull-requests: read - checks: write - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -15,6 +10,10 @@ concurrency: jobs: tests: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + checks: write steps: - name: checkout uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 @@ -28,6 +27,10 @@ jobs: postgres-tests: name: PostgreSQL Integration Tests runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + checks: write services: postgres: image: postgres:15-alpine diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 4f8bb9c9a5..8f68814b25 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -7,9 +7,6 @@ on: - main - docs-v* -permissions: - contents: read - jobs: deploy: runs-on: ubuntu-latest diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a799caa19c..65fe5c4da9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,9 +23,6 @@ on: required: false type: string -permissions: - contents: read - jobs: build-image: strategy: diff --git a/.github/workflows/pythonpublish.yml b/.github/workflows/pythonpublish.yml index 5892d59672..927a633a81 100644 --- a/.github/workflows/pythonpublish.yml +++ b/.github/workflows/pythonpublish.yml @@ -4,9 +4,6 @@ on: release: types: [created] -permissions: - contents: read - jobs: deploy: runs-on: ubuntu-latest @@ -14,6 +11,7 @@ jobs: name: pypi url: https://pypi.org/p/acapy-agent permissions: + contents: read id-token: write # IMPORTANT: this permission is mandatory for trusted publishing steps: - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 diff --git a/.github/workflows/scenario-integration-tests.yml b/.github/workflows/scenario-integration-tests.yml index 8db3332b77..a4935e25d3 100644 --- a/.github/workflows/scenario-integration-tests.yml +++ b/.github/workflows/scenario-integration-tests.yml @@ -9,11 +9,6 @@ on: - main types: [opened, synchronize, reopened, ready_for_review] -permissions: - contents: read - pull-requests: read - checks: write - concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -25,6 +20,10 @@ defaults: jobs: test: runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + checks: write # Run on openwallet-foundation and non-draft PRs or on non-PR events if: (github.repository == 'openwallet-foundation/acapy') && ((github.event_name == 'pull_request' && github.event.pull_request.draft == false) || (github.event_name != 'pull_request')) steps: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index e809562d87..d5c14efcc8 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -18,7 +18,9 @@ on: branches: [ "main" ] # Declare default permissions as read only. -permissions: read-all +permissions: + contents: read + actions: read jobs: analysis: diff --git a/.github/workflows/snyk-lts.yml b/.github/workflows/snyk-lts.yml index ee6c1e0a2e..bd2429db5e 100644 --- a/.github/workflows/snyk-lts.yml +++ b/.github/workflows/snyk-lts.yml @@ -11,9 +11,6 @@ on: - acapy_agent/** - docker/** -permissions: - contents: read - jobs: snyk: permissions: diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 9d67cd07f0..e40a9c25ff 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -7,9 +7,6 @@ on: - acapy_agent/** - docker/** -permissions: - contents: read - jobs: snyk: permissions: diff --git a/.github/workflows/sonar-merge-main.yml b/.github/workflows/sonar-merge-main.yml index 76dafa3235..c55fd371e9 100644 --- a/.github/workflows/sonar-merge-main.yml +++ b/.github/workflows/sonar-merge-main.yml @@ -4,12 +4,11 @@ on: branches: - main -permissions: - contents: read - checks: write - jobs: sonarcloud: + permissions: + contents: read + checks: write name: SonarCloud runs-on: ubuntu-latest if: github.repository == 'openwallet-foundation/acapy' && github.actor != 'dependabot[bot]' diff --git a/.github/workflows/sonar-pr.yml b/.github/workflows/sonar-pr.yml index 5883624e1d..a85d139dcc 100644 --- a/.github/workflows/sonar-pr.yml +++ b/.github/workflows/sonar-pr.yml @@ -6,13 +6,12 @@ on: types: - completed -permissions: - contents: read - pull-requests: read - checks: write - jobs: SonarCloud: + permissions: + contents: read + pull-requests: read + checks: write runs-on: ubuntu-latest if: github.event.workflow_run.conclusion == 'success' && github.repository == 'openwallet-foundation/acapy' steps: diff --git a/.github/workflows/tag-recreate-lts.yml b/.github/workflows/tag-recreate-lts.yml index 81c4b68839..a857db1797 100644 --- a/.github/workflows/tag-recreate-lts.yml +++ b/.github/workflows/tag-recreate-lts.yml @@ -14,10 +14,6 @@ on: required: true type: string -permissions: - contents: write - packages: write - jobs: recreate-lts-release: # LTS versions are now configured in .github/lts-versions.txt @@ -27,6 +23,8 @@ jobs: (github.event_name == 'workflow_dispatch') name: Recreate LTS Release runs-on: ubuntu-latest + permissions: + contents: write outputs: lts_tag: ${{ steps.set_outputs.outputs.lts_tag }} release_tag: ${{ steps.set_outputs.outputs.release_tag }} @@ -230,6 +228,8 @@ jobs: needs.recreate-lts-release.outputs.lts_tag != '' && needs.recreate-lts-release.outputs.release_tag != '' runs-on: ubuntu-latest + permissions: + packages: write strategy: matrix: python-version: ["3.12"] From 552bde872974d77fcd65e90320bed0c2467cd91c Mon Sep 17 00:00:00 2001 From: Patrick St-Louis <43082425+PatStLouis@users.noreply.github.com> Date: Fri, 27 Feb 2026 09:30:22 -0500 Subject: [PATCH 2/2] Update .github/actions/run-integration-tests/action.yml Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Patrick St-Louis <43082425+PatStLouis@users.noreply.github.com> --- .github/actions/run-integration-tests/action.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/actions/run-integration-tests/action.yml b/.github/actions/run-integration-tests/action.yml index 8405e887a5..5973f6994b 100644 --- a/.github/actions/run-integration-tests/action.yml +++ b/.github/actions/run-integration-tests/action.yml @@ -20,7 +20,15 @@ runs: - name: run-integration-tests-acapy # to run with external ledger and tails server run as follows (and remove the ledger and tails actions from the workflow): # run: LEDGER_URL=... PUBLIC_TAILS_URL=... ./run_bdd $TEST_SCOPE - run: ./run_bdd $TEST_SCOPE + run: | + set -euo pipefail + if [ -n "${TEST_SCOPE-}" ]; then + # Split TEST_SCOPE on whitespace into an argv-safe array + read -r -a scope_args <<< "$TEST_SCOPE" + ./run_bdd "${scope_args[@]}" + else + ./run_bdd + fi shell: bash env: TEST_SCOPE: ${{ inputs.TEST_SCOPE }}