balena-os · rcooke-warwick · Nov 29, 2024
diff --git a/.github/workflows/astro-tx2.yml b/.github/workflows/astro-tx2.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/blackboard-tx2.yml b/.github/workflows/blackboard-tx2.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/cnx100-xavier-nx.yml b/.github/workflows/cnx100-xavier-nx.yml
@@ -36,6 +36,13 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read        
+
 jobs:
   yocto:
     name: Yocto

diff --git a/.github/workflows/floyd-nano.yml b/.github/workflows/floyd-nano.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jetson-nano-2gb-devkit.yml b/.github/workflows/jetson-nano-2gb-devkit.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jetson-nano-emmc.yml b/.github/workflows/jetson-nano-emmc.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jetson-nano.yml b/.github/workflows/jetson-nano.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jetson-tx1.yml b/.github/workflows/jetson-tx1.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jetson-tx2-nx-devkit.yml b/.github/workflows/jetson-tx2-nx-devkit.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jetson-tx2.yml b/.github/workflows/jetson-tx2.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jetson-xavier-nx-devkit-seeed-2mic-hat.yml b/.github/workflows/jetson-xavier-nx-devkit-seeed-2mic-hat.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/jn30b-nano.yml b/.github/workflows/jn30b-nano.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/n310-tx2.yml b/.github/workflows/n310-tx2.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/n510-tx2.yml b/.github/workflows/n510-tx2.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/orbitty-tx2.yml b/.github/workflows/orbitty-tx2.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/photon-nano.yml b/.github/workflows/photon-nano.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/photon-tx2-nx.yml b/.github/workflows/photon-tx2-nx.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/photon-xavier-nx.yml b/.github/workflows/photon-xavier-nx.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto:

diff --git a/.github/workflows/spacely-tx2.yml b/.github/workflows/spacely-tx2.yml
@@ -36,6 +36,12 @@ on:
         type: string
         default: ''
 
+permissions:
+  id-token: write # This is required for requesting the JWT #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#requesting-the-access-token
+  actions: read # We are fetching workflow run results of a merge commit when workflow is triggered by new tag, to see if tests pass
+  pull-requests: write # Read is required to fetch the PR that merged, in order to get the test results. Write is required to create PR comments for workflow approvals.
+  packages: read
+  contents: read
 
 jobs:
   yocto: