From 553338b8c01a98c41522816822fb9fab716a100e Mon Sep 17 00:00:00 2001 From: Eduardo Silva Date: Tue, 10 Mar 2026 10:53:57 -0600 Subject: [PATCH 1/4] github: workflows: security update Signed-off-by: Eduardo Silva --- .../workflows/build-branch-containers.yaml | 7 +++++++ .github/workflows/build-master-packages.yaml | 8 ++++++++ .github/workflows/call-test-images.yaml | 5 ++++- .github/workflows/call-test-packages.yaml | 3 +++ .github/workflows/commit-lint.yaml | 3 +++ .github/workflows/cron-stale.yaml | 4 ++++ .github/workflows/cron-trivy.yaml | 7 +++++++ .../workflows/master-integration-test.yaml | 8 ++++++++ .github/workflows/pr-commit-message.yaml | 6 +++++- .github/workflows/pr-compile-check.yaml | 3 +++ .github/workflows/pr-fuzz.yaml | 3 +++ .github/workflows/pr-integration-test.yaml | 19 +++++++++++++++++-- .github/workflows/pr-labels.yaml | 4 ++++ .github/workflows/pr-lint.yaml | 3 +++ .github/workflows/pr-perf-test.yaml | 10 +++++++++- .github/workflows/pr-windows-build.yaml | 7 +++++++ .github/workflows/skipped-unit-tests.yaml | 5 ++++- .github/workflows/staging-build.yaml | 18 ++++++++++++++++++ .github/workflows/staging-test.yaml | 9 +++++++++ 19 files changed, 126 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-branch-containers.yaml b/.github/workflows/build-branch-containers.yaml index ea5d3c6cd3d..fff6cd394f1 100644 --- a/.github/workflows/build-branch-containers.yaml +++ b/.github/workflows/build-branch-containers.yaml @@ -6,8 +6,15 @@ on: description: Version of Fluent Bit to build, commit, branch, etc. The container image will be ghcr.io/fluent/fluent-bit/test/. required: true default: master + +permissions: + contents: read + jobs: build-branch-containers: + permissions: + contents: read + packages: write uses: ./.github/workflows/call-build-images.yaml with: version: ${{ github.event.inputs.version }} diff --git a/.github/workflows/build-master-packages.yaml b/.github/workflows/build-master-packages.yaml index 5698abfe5b4..24ed829f5c1 100644 --- a/.github/workflows/build-master-packages.yaml +++ b/.github/workflows/build-master-packages.yaml @@ -14,12 +14,18 @@ on: default: "" name: Build packages for master + +permissions: + contents: read + jobs: master-build-generate-matrix: name: Staging build matrix runs-on: ubuntu-latest outputs: build-matrix: ${{ steps.set-matrix.outputs.matrix }} + permissions: + contents: read steps: # Set up the list of target to build so we can pass the JSON to the reusable job - id: set-matrix @@ -42,6 +48,8 @@ jobs: master-build-packages: needs: master-build-generate-matrix + permissions: + contents: read uses: ./.github/workflows/call-build-linux-packages.yaml with: version: master diff --git a/.github/workflows/call-test-images.yaml b/.github/workflows/call-test-images.yaml index a4f8cc20999..868776bbf90 100644 --- a/.github/workflows/call-test-images.yaml +++ b/.github/workflows/call-test-images.yaml @@ -35,6 +35,10 @@ on: cosign_key: description: The optional Cosign key to use for verifying the images. required: false + +permissions: + contents: read + jobs: call-test-images-cosign-verify: name: Cosign verification of container image @@ -202,4 +206,3 @@ jobs: REGISTRY: ${{ inputs.registry }} IMAGE_NAME: ${{ inputs.image }} IMAGE_TAG: ${{ inputs.image-tag }} - diff --git a/.github/workflows/call-test-packages.yaml b/.github/workflows/call-test-packages.yaml index 7a11bae9d1e..db24d660e74 100644 --- a/.github/workflows/call-test-packages.yaml +++ b/.github/workflows/call-test-packages.yaml @@ -20,6 +20,9 @@ on: description: The name of the S3 (US-East) bucket to pull packages from. required: true +permissions: + contents: read + jobs: call-test-packaging: # We use Dokken to run a series of test suites locally on containers representing diff --git a/.github/workflows/commit-lint.yaml b/.github/workflows/commit-lint.yaml index e3100ab99da..82b82acfb13 100644 --- a/.github/workflows/commit-lint.yaml +++ b/.github/workflows/commit-lint.yaml @@ -7,6 +7,9 @@ on: branches: - master +permissions: + contents: read + jobs: commit-lint: runs-on: ubuntu-latest diff --git a/.github/workflows/cron-stale.yaml b/.github/workflows/cron-stale.yaml index 9ee9a64afa7..8a9da0ce1b8 100644 --- a/.github/workflows/cron-stale.yaml +++ b/.github/workflows/cron-stale.yaml @@ -3,6 +3,10 @@ on: schedule: - cron: '30 1 * * *' +permissions: + issues: write + pull-requests: write + jobs: stale: name: Mark stale diff --git a/.github/workflows/cron-trivy.yaml b/.github/workflows/cron-trivy.yaml index 3734a54288c..19112438356 100644 --- a/.github/workflows/cron-trivy.yaml +++ b/.github/workflows/cron-trivy.yaml @@ -12,6 +12,10 @@ on: - cron: 44 13 * * 4 workflow_dispatch: +permissions: + contents: read + security-events: write + jobs: # Run Trivy on the latest container and update the security code scanning results tab. trivy-latest: @@ -20,6 +24,9 @@ jobs: name: ${{ matrix.arch }} container scan runs-on: [ ubuntu-latest ] continue-on-error: true + permissions: + contents: read + security-events: write strategy: fail-fast: false # Matrix of architectures to test along with their local tags for special character substitution diff --git a/.github/workflows/master-integration-test.yaml b/.github/workflows/master-integration-test.yaml index 85c321b8250..13905067dd4 100644 --- a/.github/workflows/master-integration-test.yaml +++ b/.github/workflows/master-integration-test.yaml @@ -4,9 +4,15 @@ on: branches: - master +permissions: + contents: read + jobs: master-integration-test-build: name: Master - integration build + permissions: + contents: read + packages: write uses: ./.github/workflows/call-integration-image-build.yaml with: ref: ${{ github.sha }} @@ -21,6 +27,8 @@ jobs: master-integration-test-run-integration: name: Master - integration test needs: master-integration-test-build + permissions: + contents: read uses: ./.github/workflows/call-run-integration-test.yaml with: image_name: ghcr.io/${{ github.repository }}/master diff --git a/.github/workflows/pr-commit-message.yaml b/.github/workflows/pr-commit-message.yaml index 596d9cdcb14..8de524f8f87 100644 --- a/.github/workflows/pr-commit-message.yaml +++ b/.github/workflows/pr-commit-message.yaml @@ -6,6 +6,10 @@ on: - edited - reopened - synchronize + +permissions: + contents: read + jobs: check-commit-message: name: Check Commit Message @@ -18,4 +22,4 @@ jobs: error: 'Invalid commit subject. Please refer to: https://github.com/fluent/fluent-bit/blob/master/CONTRIBUTING.md#commit-changes' checkAllCommitMessages: 'false' excludeDescription: 'true' - accessToken: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + accessToken: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pr-compile-check.yaml b/.github/workflows/pr-compile-check.yaml index 1cffd508b51..b6f5fe0fce9 100644 --- a/.github/workflows/pr-compile-check.yaml +++ b/.github/workflows/pr-compile-check.yaml @@ -9,6 +9,9 @@ on: - 'cmake/*' workflow_dispatch: +permissions: + contents: read + jobs: # Sanity check for compilation using older compiler on CentOS 7 pr-compile-centos-7: diff --git a/.github/workflows/pr-fuzz.yaml b/.github/workflows/pr-fuzz.yaml index e35a243be6b..60593501b19 100644 --- a/.github/workflows/pr-fuzz.yaml +++ b/.github/workflows/pr-fuzz.yaml @@ -9,6 +9,9 @@ jobs: fuzzing: name: PR - fuzzing test runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Build Fuzzers id: build diff --git a/.github/workflows/pr-integration-test.yaml b/.github/workflows/pr-integration-test.yaml index 2b18b1c67b1..f4e5b9a948e 100644 --- a/.github/workflows/pr-integration-test.yaml +++ b/.github/workflows/pr-integration-test.yaml @@ -10,11 +10,18 @@ on: - reopened - synchronize +permissions: + contents: read + jobs: pr-integration-test-build: name: PR - integration build - # We only need to test this once as the rest are chained from it. - if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') + # Only maintainers can create same-repo branches; do not run privileged + # integration jobs against fork-controlled code. + if: contains(github.event.pull_request.labels.*.name, 'ok-to-test') && github.event.pull_request.head.repo.full_name == github.repository + permissions: + contents: read + packages: write uses: ./.github/workflows/call-integration-image-build.yaml with: ref: ${{ github.event.pull_request.head.sha }} @@ -31,6 +38,8 @@ jobs: runs-on: ubuntu-latest needs: - pr-integration-test-build + permissions: + pull-requests: write steps: - uses: actions-ecosystem/action-add-labels@v1 name: Label the PR @@ -43,6 +52,9 @@ jobs: name: PR - K8S integration test needs: - pr-integration-test-build + if: needs.pr-integration-test-build.result == 'success' + permissions: + contents: read uses: ./.github/workflows/call-run-integration-test.yaml with: image_name: ghcr.io/${{ github.repository }}/pr-${{ github.event.pull_request.number }} @@ -59,6 +71,9 @@ jobs: runs-on: ubuntu-latest needs: - pr-integration-test-run-integration + if: needs.pr-integration-test-run-integration.result == 'success' + permissions: + pull-requests: write steps: - uses: actions-ecosystem/action-add-labels@v1 name: Label the PR diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml index f8139304799..d0f3b105f85 100644 --- a/.github/workflows/pr-labels.yaml +++ b/.github/workflows/pr-labels.yaml @@ -3,6 +3,10 @@ on: pull_request_target: types: - opened + +permissions: + pull-requests: write + jobs: apply-default-labels: name: PR - apply default labels diff --git a/.github/workflows/pr-lint.yaml b/.github/workflows/pr-lint.yaml index 718763121f4..59a4b6313ee 100644 --- a/.github/workflows/pr-lint.yaml +++ b/.github/workflows/pr-lint.yaml @@ -3,6 +3,9 @@ on: pull_request: workflow_dispatch: +permissions: + contents: read + jobs: hadolint-pr: runs-on: ubuntu-latest diff --git a/.github/workflows/pr-perf-test.yaml b/.github/workflows/pr-perf-test.yaml index e8de4d1a9d3..cd2387304b2 100644 --- a/.github/workflows/pr-perf-test.yaml +++ b/.github/workflows/pr-perf-test.yaml @@ -8,11 +8,16 @@ on: types: - labeled +permissions: + contents: read + jobs: pr-perf-test-run: # We only need to test this once as the rest are chained from it. - if: contains(github.event.pull_request.labels.*.name, 'ok-to-performance-test') + if: contains(github.event.pull_request.labels.*.name, 'ok-to-performance-test') && github.event.pull_request.head.repo.full_name == github.repository + permissions: + contents: read uses: fluent/fluent-bit-ci/.github/workflows/call-run-performance-test.yaml@main with: vm-name: fb-perf-test-pr-${{ github.event.number }} @@ -30,6 +35,7 @@ jobs: needs: - pr-perf-test-run permissions: + contents: read pull-requests: write steps: - uses: actions/download-artifact@v7 @@ -86,7 +92,9 @@ jobs: runs-on: ubuntu-latest needs: - pr-perf-test-run + if: needs.pr-perf-test-run.result == 'success' permissions: + contents: read pull-requests: write steps: - uses: actions-ecosystem/action-add-labels@v1 diff --git a/.github/workflows/pr-windows-build.yaml b/.github/workflows/pr-windows-build.yaml index 9be1e6daa7c..74868cc8976 100644 --- a/.github/workflows/pr-windows-build.yaml +++ b/.github/workflows/pr-windows-build.yaml @@ -29,8 +29,13 @@ on: - reopened - synchronize +permissions: + contents: read + jobs: pr-windows-build: + permissions: + contents: read uses: ./.github/workflows/call-build-windows.yaml with: version: ${{ github.sha }} @@ -42,6 +47,8 @@ jobs: run-windows-unit-tests: needs: - pr-windows-build + permissions: + contents: read uses: ./.github/workflows/call-windows-unit-tests.yaml with: version: ${{ github.sha }} diff --git a/.github/workflows/skipped-unit-tests.yaml b/.github/workflows/skipped-unit-tests.yaml index 2fe682091c8..ea17e9aba60 100644 --- a/.github/workflows/skipped-unit-tests.yaml +++ b/.github/workflows/skipped-unit-tests.yaml @@ -12,9 +12,12 @@ on: - 'appveyor.yml' - 'examples/**' +permissions: + contents: read + jobs: run-all-unit-tests: runs-on: ubuntu-latest name: Unit tests (matrix) steps: - - run: echo "No unit tests required" \ No newline at end of file + - run: echo "No unit tests required" diff --git a/.github/workflows/staging-build.yaml b/.github/workflows/staging-build.yaml index 5351c253398..b82b9a3adc7 100644 --- a/.github/workflows/staging-build.yaml +++ b/.github/workflows/staging-build.yaml @@ -26,6 +26,9 @@ on: # We also do not want multiples to run for the same version. concurrency: staging-build-release +permissions: + contents: read + jobs: # This job strips off the `v` at the start of any tag provided. @@ -35,6 +38,8 @@ jobs: runs-on: ubuntu-latest outputs: version: ${{ steps.formatted_version.outputs.replaced }} + permissions: + contents: read steps: - run: | @@ -71,6 +76,9 @@ jobs: staging-build-images: needs: staging-build-get-meta + permissions: + contents: read + packages: write uses: ./.github/workflows/call-build-images.yaml with: version: ${{ needs.staging-build-get-meta.outputs.version }} @@ -90,6 +98,8 @@ jobs: - staging-build-images runs-on: ubuntu-latest environment: staging + permissions: + contents: read steps: - name: Download the schema generated by call-build-images # We may have no schema so ignore that failure @@ -121,6 +131,8 @@ jobs: runs-on: ubuntu-latest outputs: build-matrix: ${{ steps.set-matrix.outputs.build-matrix }} + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v6 @@ -135,6 +147,8 @@ jobs: needs: - staging-build-get-meta - staging-build-generate-matrix + permissions: + contents: read uses: ./.github/workflows/call-build-linux-packages.yaml with: version: ${{ needs.staging-build-get-meta.outputs.version }} @@ -153,6 +167,8 @@ jobs: staging-build-windows-packages: needs: - staging-build-get-meta + permissions: + contents: read uses: ./.github/workflows/call-build-windows.yaml with: version: ${{ needs.staging-build-get-meta.outputs.version }} @@ -167,6 +183,8 @@ jobs: staging-build-macos-packages: needs: - staging-build-get-meta + permissions: + contents: read uses: ./.github/workflows/call-build-macos.yaml with: version: ${{ needs.staging-build-get-meta.outputs.version }} diff --git a/.github/workflows/staging-test.yaml b/.github/workflows/staging-test.yaml index e7a2d3caa1c..35851a51f87 100644 --- a/.github/workflows/staging-test.yaml +++ b/.github/workflows/staging-test.yaml @@ -11,12 +11,17 @@ on: concurrency: integration-test +permissions: + contents: read + jobs: staging-test-images: name: Container images staging tests # Workflow run always triggers on completion regardless of status # This prevents us from running if build fails. if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' + permissions: + contents: read uses: ./.github/workflows/call-test-images.yaml with: registry: ghcr.io @@ -33,6 +38,8 @@ jobs: name: run integration tests on GCP # Wait for other tests to succeed needs: staging-test-images + permissions: + contents: read uses: ./.github/workflows/call-run-integration-test.yaml with: image_name: ghcr.io/${{ github.repository }}/staging @@ -49,6 +56,8 @@ jobs: # Workflow run always triggers on completion regardless of status # This prevents us from running if build fails. if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' + permissions: + contents: read uses: ./.github/workflows/call-test-packages.yaml with: environment: staging From f913a022e0c053659649ed2018e036057a33db06 Mon Sep 17 00:00:00 2001 From: Eduardo Silva Date: Tue, 10 Mar 2026 11:36:38 -0600 Subject: [PATCH 2/4] github: workflows: harden permissions and untrusted PR execution Signed-off-by: Eduardo Silva --- .github/workflows/call-test-images.yaml | 1 + .github/workflows/pr-integration-test.yaml | 4 ++-- .github/workflows/pr-labels.yaml | 2 +- .github/workflows/pr-perf-test.yaml | 2 +- .github/workflows/staging-test.yaml | 2 ++ 5 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/call-test-images.yaml b/.github/workflows/call-test-images.yaml index 868776bbf90..4cb40a2ad9a 100644 --- a/.github/workflows/call-test-images.yaml +++ b/.github/workflows/call-test-images.yaml @@ -38,6 +38,7 @@ on: permissions: contents: read + packages: read jobs: call-test-images-cosign-verify: diff --git a/.github/workflows/pr-integration-test.yaml b/.github/workflows/pr-integration-test.yaml index f4e5b9a948e..c90757b9de3 100644 --- a/.github/workflows/pr-integration-test.yaml +++ b/.github/workflows/pr-integration-test.yaml @@ -41,7 +41,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 name: Label the PR with: labels: ci/integration-docker-ok @@ -75,7 +75,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 name: Label the PR with: labels: ci/integration-test-ok diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml index d0f3b105f85..a3303038d1b 100644 --- a/.github/workflows/pr-labels.yaml +++ b/.github/workflows/pr-labels.yaml @@ -12,7 +12,7 @@ jobs: name: PR - apply default labels runs-on: ubuntu-latest steps: - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 name: Label the PR with 'docs-required' by default. with: labels: docs-required diff --git a/.github/workflows/pr-perf-test.yaml b/.github/workflows/pr-perf-test.yaml index cd2387304b2..a83aaa885a3 100644 --- a/.github/workflows/pr-perf-test.yaml +++ b/.github/workflows/pr-perf-test.yaml @@ -97,7 +97,7 @@ jobs: contents: read pull-requests: write steps: - - uses: actions-ecosystem/action-add-labels@v1 + - uses: actions-ecosystem/action-add-labels@bd52874380e3909a1ac983768df6976535ece7f8 name: Label the PR with: labels: ci/performance-test-ok diff --git a/.github/workflows/staging-test.yaml b/.github/workflows/staging-test.yaml index 35851a51f87..07d8ad8df76 100644 --- a/.github/workflows/staging-test.yaml +++ b/.github/workflows/staging-test.yaml @@ -13,6 +13,7 @@ concurrency: integration-test permissions: contents: read + packages: read jobs: staging-test-images: @@ -22,6 +23,7 @@ jobs: if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' permissions: contents: read + packages: read uses: ./.github/workflows/call-test-images.yaml with: registry: ghcr.io From bd66f1a3a6165729b7df75945bd3a3200ad4a859 Mon Sep 17 00:00:00 2001 From: Eduardo Silva Date: Tue, 10 Mar 2026 11:36:54 -0600 Subject: [PATCH 3/4] github: workflows: pin privileged actions and fix ghcr read scope Signed-off-by: Eduardo Silva --- .github/workflows/cron-trivy.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cron-trivy.yaml b/.github/workflows/cron-trivy.yaml index 19112438356..07d13fcdc7b 100644 --- a/.github/workflows/cron-trivy.yaml +++ b/.github/workflows/cron-trivy.yaml @@ -59,7 +59,7 @@ jobs: # Deliberately chosen master here to keep up-to-date. - name: Run Trivy vulnerability scanner for any major issues - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: image-ref: local/fluent-bit:${{ matrix.local_tag }} # Filter out any that have no current fix. @@ -73,7 +73,7 @@ jobs: # Show all detected issues. # Note this will show a lot more, including major un-fixed ones. - name: Run Trivy vulnerability scanner for local output - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: image-ref: local/fluent-bit:${{ matrix.local_tag }} format: table From 54bb68b5d6c046525a67bdbfb19dacb906d6b1c7 Mon Sep 17 00:00:00 2001 From: Eduardo Silva Date: Wed, 11 Mar 2026 16:45:49 -0600 Subject: [PATCH 4/4] github: workflows: fix redundant read permission Signed-off-by: Eduardo Silva --- .github/workflows/cron-trivy.yaml | 3 --- .github/workflows/pr-labels.yaml | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/cron-trivy.yaml b/.github/workflows/cron-trivy.yaml index 07d13fcdc7b..6654443cb28 100644 --- a/.github/workflows/cron-trivy.yaml +++ b/.github/workflows/cron-trivy.yaml @@ -24,9 +24,6 @@ jobs: name: ${{ matrix.arch }} container scan runs-on: [ ubuntu-latest ] continue-on-error: true - permissions: - contents: read - security-events: write strategy: fail-fast: false # Matrix of architectures to test along with their local tags for special character substitution diff --git a/.github/workflows/pr-labels.yaml b/.github/workflows/pr-labels.yaml index a3303038d1b..1f98196420d 100644 --- a/.github/workflows/pr-labels.yaml +++ b/.github/workflows/pr-labels.yaml @@ -5,6 +5,7 @@ on: - opened permissions: + contents: read pull-requests: write jobs: