all: children: controllers: hosts: controller: null zuul_unreachable: hosts: {} hosts: controller: ansible_connection: ssh ansible_host: 199.204.45.6 ansible_port: 22 ansible_python_interpreter: auto ansible_user: zuul cilium_helm_values: operator: replicas: 1 cilium_ipv4_cidr: 172.24.0.0/16 kube_vip_address: 172.17.0.100 kube_vip_interface: '{{ ansible_facts[''default_ipv4''].interface }}' kubernetes_hostname: '{{ ansible_facts[''default_ipv4''].address }}' kubernetes_version: 1.28.13 molecule_scenario: secretgen-controller nodepool: az: nova cloud: public external_id: 1f0fb961-4289-44c0-9f5f-47a4bfa689c3 host_id: dc47ae3b6bd7105f226a81ddfc9102f715bac5cc73984e91b5981caa interface_ip: 199.204.45.6 label: ubuntu-noble node_properties: {} private_ipv4: 199.204.45.6 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.6 public_ipv6: 2604:e100:1:0:f816:3eff:fed3:a249 region: ca-ymq-1 slot: null zuul_node: az: nova cloud: public external_id: 1f0fb961-4289-44c0-9f5f-47a4bfa689c3 host_id: dc47ae3b6bd7105f226a81ddfc9102f715bac5cc73984e91b5981caa interface_ip: 199.204.45.6 label: ubuntu-noble node_properties: {} private_ipv4: 199.204.45.6 private_ipv6: null provider: yul1 public_ipv4: 199.204.45.6 public_ipv6: 2604:e100:1:0:f816:3eff:fed3:a249 region: ca-ymq-1 slot: null uuid: null vars: cilium_helm_values: operator: replicas: 1 kubernetes_version: 1.28.13 molecule_scenario: secretgen-controller zuul: _inheritance_path: - '' - '' - '' - '' - '' ansible_version: '9' attempts: 1 branch: main build: 03e2bd9f678c4cf4bc895e1090092f58 build_refs: - branch: main change: '110' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `linters.yml`: contents: read - `conventional-commit.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/atmosphere.common/pull/110 commit_id: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 patchset: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere.common name: vexxhost/atmosphere.common short_name: atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common topic: null buildset: 1a5c5eb6b6a3425ebb02195d012dda5c buildset_refs: - branch: main change: '110' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `linters.yml`: contents: read - `conventional-commit.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/atmosphere.common/pull/110 commit_id: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 patchset: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere.common name: vexxhost/atmosphere.common short_name: atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common topic: null change: '110' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `linters.yml`: contents: read - `conventional-commit.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/atmosphere.common/pull/110 child_jobs: [] commit_id: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 event_id: f4bf6110-1bcb-11f1-87b1-fef41d6f460c executor: hostname: 0a8996d2b663 inventory_file: /var/lib/zuul/builds/03e2bd9f678c4cf4bc895e1090092f58/ansible/inventory.yaml log_root: /var/lib/zuul/builds/03e2bd9f678c4cf4bc895e1090092f58/work/logs result_data_file: /var/lib/zuul/builds/03e2bd9f678c4cf4bc895e1090092f58/work/results.json src_root: /var/lib/zuul/builds/03e2bd9f678c4cf4bc895e1090092f58/work/src work_root: /var/lib/zuul/builds/03e2bd9f678c4cf4bc895e1090092f58/work include_vars: [] items: - branch: main change: '110' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `linters.yml`: contents: read - `conventional-commit.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/atmosphere.common/pull/110 commit_id: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 patchset: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere.common name: vexxhost/atmosphere.common short_name: atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common topic: null job: atmosphere-common-molecule-secretgen-controller jobtags: [] max_attempts: 3 message: Y2k6IGVuZm9yY2UgbGVhc3QtcHJpdmlsZWdlIHBlcm1pc3Npb25zIGZvciBHaXRIdWIgQWN0aW9ucyB3b3JrZmxvd3MKCiMjIEVuZm9yY2UgbGVhc3QtcHJpdmlsZWdlIHBlcm1pc3Npb25zCgpUaGlzIFBSIGFkZHMgZXhwbGljaXQgYHBlcm1pc3Npb25zYCBibG9ja3MgdG8gR2l0SHViIEFjdGlvbnMgd29ya2Zsb3cgZmlsZXMgdGhhdCBjdXJyZW50bHkgaGF2ZSBubyBwZXJtaXNzaW9ucyBkZWZpbmVkLCBmb2xsb3dpbmcgdGhlIHByaW5jaXBsZSBvZiBsZWFzdCBwcml2aWxlZ2UuCgojIyMgQ2hhbmdlcwotIGBsaW50ZXJzLnltbGA6IGNvbnRlbnRzOiByZWFkCi0gYGNvbnZlbnRpb25hbC1jb21taXQueWFtbGA6IHBlcm1pc3Npb25zOiB7fSAoZGVmZW5zZS1pbi1kZXB0aCkKCiMjIyBXaHkKV2l0aG91dCBleHBsaWNpdCBwZXJtaXNzaW9ucywgd29ya2Zsb3dzIGluaGVyaXQgdGhlIGRlZmF1bHQgdG9rZW4gcGVybWlzc2lvbnMgY29uZmlndXJlZCBhdCB0aGUgcmVwb3NpdG9yeSBvciBvcmdhbml6YXRpb24gbGV2ZWwuIEJ5IGV4cGxpY2l0bHkgZGVjbGFyaW5nIHRoZSBtaW5pbXVtIHJlcXVpcmVkIHBlcm1pc3Npb25zLCB3ZSByZWR1Y2UgdGhlIGJsYXN0IHJhZGl1cyBpZiBhIHdvcmtmbG93IGlzIGNvbXByb21pc2VkLgoKIyMjIFJlZmVyZW5jZXMKLSBbR2l0SHViIEFjdGlvbnMgc2VjdXJpdHkgaGFyZGVuaW5nXShodHRwczovL2RvY3MuZ2l0aHViLmNvbS9lbi9hY3Rpb25zL3NlY3VyaXR5LWZvci1naXRodWItYWN0aW9ucy9zZWN1cml0eS1ndWlkZXMvc2VjdXJpdHktaGFyZGVuaW5nLWZvci1naXRodWItYWN0aW9ucykKLSBbQXV0b21hdGljIHRva2VuIGF1dGhlbnRpY2F0aW9uIHBlcm1pc3Npb25zXShodHRwczovL2RvY3MuZ2l0aHViLmNvbS9lbi9hY3Rpb25zL3NlY3VyaXR5LWZvci1naXRodWItYWN0aW9ucy9zZWN1cml0eS1ndWlkZXMvYXV0b21hdGljLXRva2VuLWF1dGhlbnRpY2F0aW9uI3Blcm1pc3Npb25zLWZvci10aGUtZ2l0aHViX3Rva2VuKQo= patchset: a5822fe747cd2b9524c70fc13d1126f3c97c83e4 pipeline: check playbook_context: playbook_projects: trusted/project_0/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b trusted/project_1/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: c75fe6ef19c05b98349573c971950c51bbf24758 trusted/project_2/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_0/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_1/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b untrusted/project_2/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: c75fe6ef19c05b98349573c971950c51bbf24758 playbooks: - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/run.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/playbook_0/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/playbook_0/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/playbook_0/role_2/zuul-jobs/roles post_playbooks: - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_0/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_0/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_0/role_2/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post-logs.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_1/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_1/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_1/role_2/zuul-jobs/roles pre_playbooks: - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_0/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_0/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_0/role_2/zuul-jobs/roles - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_1/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/pre_playbook_1/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_1/role_2/zuul-jobs/roles post_review: false post_timeout: null pre_timeout: null project: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere.common name: vexxhost/atmosphere.common short_name: atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common projects: github.com/vexxhost/atmosphere.common: canonical_hostname: github.com canonical_name: github.com/vexxhost/atmosphere.common checkout: main checkout_description: zuul branch commit: b79eb843737fdb651370f607c19663d5657439ec name: vexxhost/atmosphere.common required: false short_name: atmosphere.common src_dir: src/github.com/vexxhost/atmosphere.common ref: refs/pull/110/head resources: {} tenant: oss timeout: 1800 topic: null voting: true