all: children: zuul_unreachable: hosts: {} hosts: rockylinux-9: ansible_connection: ssh ansible_host: 162.253.55.207 ansible_port: 22 ansible_python_interpreter: /usr/bin/python3 ansible_user: zuul docker_version: 24.0.9 molecule_scenario: docker nodepool: az: nova cloud: public external_id: 2709546f-8156-40eb-82be-a51ca6be11bd host_id: 46a3119b92b21b95fc3b5fbffd17c6ebf9fffaf9848b0a50b2d8d56a interface_ip: 162.253.55.207 label: rockylinux-9 node_properties: {} private_ipv4: 162.253.55.207 private_ipv6: null provider: yul1 public_ipv4: 162.253.55.207 public_ipv6: 2604:e100:1:0:f816:3eff:fe42:f42 region: ca-ymq-1 slot: null zuul_node: az: nova cloud: public external_id: 2709546f-8156-40eb-82be-a51ca6be11bd host_id: 46a3119b92b21b95fc3b5fbffd17c6ebf9fffaf9848b0a50b2d8d56a interface_ip: 162.253.55.207 label: rockylinux-9 node_properties: {} private_ipv4: 162.253.55.207 private_ipv6: null provider: yul1 public_ipv4: 162.253.55.207 public_ipv6: 2604:e100:1:0:f816:3eff:fe42:f42 region: ca-ymq-1 slot: null uuid: null vars: docker_version: 24.0.9 molecule_scenario: docker zuul: _inheritance_path: - '' - '' - '' - '' - '' - '' ansible_version: '9' attempts: 1 branch: main build: 8f9051d10c0044ec9028fd490549c3b1 build_refs: - branch: main change: '98' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `bump.yaml`: contents: write, pull-requests: write - `pr.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/ansible-collection-containers/pull/98 commit_id: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 patchset: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-containers name: vexxhost/ansible-collection-containers short_name: ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers topic: null buildset: 704d7b834b5a498b88867971a6db5582 buildset_refs: - branch: main change: '98' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `bump.yaml`: contents: write, pull-requests: write - `pr.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/ansible-collection-containers/pull/98 commit_id: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 patchset: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-containers name: vexxhost/ansible-collection-containers short_name: ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers topic: null change: '98' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `bump.yaml`: contents: write, pull-requests: write - `pr.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/ansible-collection-containers/pull/98 child_jobs: [] commit_id: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 event_id: b83b96a0-1bcb-11f1-9a32-4521dd0a5981 executor: hostname: 0a8996d2b663 inventory_file: /var/lib/zuul/builds/8f9051d10c0044ec9028fd490549c3b1/ansible/inventory.yaml log_root: /var/lib/zuul/builds/8f9051d10c0044ec9028fd490549c3b1/work/logs result_data_file: /var/lib/zuul/builds/8f9051d10c0044ec9028fd490549c3b1/work/results.json src_root: /var/lib/zuul/builds/8f9051d10c0044ec9028fd490549c3b1/work/src work_root: /var/lib/zuul/builds/8f9051d10c0044ec9028fd490549c3b1/work include_vars: [] items: - branch: main change: '98' change_message: 'ci: enforce least-privilege permissions for GitHub Actions workflows ## Enforce least-privilege permissions This PR adds explicit `permissions` blocks to GitHub Actions workflow files that currently have no permissions defined, following the principle of least privilege. ### Changes - `bump.yaml`: contents: write, pull-requests: write - `pr.yaml`: permissions: {} (defense-in-depth) ### Why Without explicit permissions, workflows inherit the default token permissions configured at the repository or organization level. By explicitly declaring the minimum required permissions, we reduce the blast radius if a workflow is compromised. ### References - [GitHub Actions security hardening](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Automatic token authentication permissions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) ' change_url: https://github.com/vexxhost/ansible-collection-containers/pull/98 commit_id: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 patchset: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 project: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-containers name: vexxhost/ansible-collection-containers short_name: ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers topic: null job: ansible-collection-containers-molecule-docker-rockylinux-9 jobtags: [] max_attempts: 3 message: Y2k6IGVuZm9yY2UgbGVhc3QtcHJpdmlsZWdlIHBlcm1pc3Npb25zIGZvciBHaXRIdWIgQWN0aW9ucyB3b3JrZmxvd3MKCiMjIEVuZm9yY2UgbGVhc3QtcHJpdmlsZWdlIHBlcm1pc3Npb25zCgpUaGlzIFBSIGFkZHMgZXhwbGljaXQgYHBlcm1pc3Npb25zYCBibG9ja3MgdG8gR2l0SHViIEFjdGlvbnMgd29ya2Zsb3cgZmlsZXMgdGhhdCBjdXJyZW50bHkgaGF2ZSBubyBwZXJtaXNzaW9ucyBkZWZpbmVkLCBmb2xsb3dpbmcgdGhlIHByaW5jaXBsZSBvZiBsZWFzdCBwcml2aWxlZ2UuCgojIyMgQ2hhbmdlcwotIGBidW1wLnlhbWxgOiBjb250ZW50czogd3JpdGUsIHB1bGwtcmVxdWVzdHM6IHdyaXRlCi0gYHByLnlhbWxgOiBwZXJtaXNzaW9uczoge30gKGRlZmVuc2UtaW4tZGVwdGgpCgojIyMgV2h5CldpdGhvdXQgZXhwbGljaXQgcGVybWlzc2lvbnMsIHdvcmtmbG93cyBpbmhlcml0IHRoZSBkZWZhdWx0IHRva2VuIHBlcm1pc3Npb25zIGNvbmZpZ3VyZWQgYXQgdGhlIHJlcG9zaXRvcnkgb3Igb3JnYW5pemF0aW9uIGxldmVsLiBCeSBleHBsaWNpdGx5IGRlY2xhcmluZyB0aGUgbWluaW11bSByZXF1aXJlZCBwZXJtaXNzaW9ucywgd2UgcmVkdWNlIHRoZSBibGFzdCByYWRpdXMgaWYgYSB3b3JrZmxvdyBpcyBjb21wcm9taXNlZC4KCiMjIyBSZWZlcmVuY2VzCi0gW0dpdEh1YiBBY3Rpb25zIHNlY3VyaXR5IGhhcmRlbmluZ10oaHR0cHM6Ly9kb2NzLmdpdGh1Yi5jb20vZW4vYWN0aW9ucy9zZWN1cml0eS1mb3ItZ2l0aHViLWFjdGlvbnMvc2VjdXJpdHktZ3VpZGVzL3NlY3VyaXR5LWhhcmRlbmluZy1mb3ItZ2l0aHViLWFjdGlvbnMpCi0gW0F1dG9tYXRpYyB0b2tlbiBhdXRoZW50aWNhdGlvbiBwZXJtaXNzaW9uc10oaHR0cHM6Ly9kb2NzLmdpdGh1Yi5jb20vZW4vYWN0aW9ucy9zZWN1cml0eS1mb3ItZ2l0aHViLWFjdGlvbnMvc2VjdXJpdHktZ3VpZGVzL2F1dG9tYXRpYy10b2tlbi1hdXRoZW50aWNhdGlvbiNwZXJtaXNzaW9ucy1mb3ItdGhlLWdpdGh1Yl90b2tlbikK patchset: 6783ce3faa4ab77fb0ff351f06745bb3c820a2b7 pipeline: check playbook_context: playbook_projects: trusted/project_0/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b trusted/project_1/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: c75fe6ef19c05b98349573c971950c51bbf24758 trusted/project_2/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_0/github.com/vexxhost/zuul-jobs: canonical_name: github.com/vexxhost/zuul-jobs checkout: main commit: a6e68243e02ef030ce5e75f8b67630880c475f33 untrusted/project_1/github.com/vexxhost/zuul-config: canonical_name: github.com/vexxhost/zuul-config checkout: main commit: 9052b5a7781b3346e4cffd452a54448cbff54d8b untrusted/project_2/opendev.org/zuul/zuul-jobs: canonical_name: opendev.org/zuul/zuul-jobs checkout: master commit: c75fe6ef19c05b98349573c971950c51bbf24758 playbooks: - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/run.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/playbook_0/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/playbook_0/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/playbook_0/role_2/zuul-jobs/roles post_playbooks: - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_0/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_0/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_0/role_2/zuul-jobs/roles - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/post-logs.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/post_playbook_1/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/post_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/post_playbook_1/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/post_playbook_1/role_2/zuul-jobs/roles pre_playbooks: - path: trusted/project_0/github.com/vexxhost/zuul-config/playbooks/base/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_0/role_1/zuul-jobs link_target: trusted/project_1/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_0/role_1/zuul-jobs/roles - checkout: main checkout_description: zuul branch link_name: ansible/pre_playbook_0/role_2/zuul-jobs link_target: trusted/project_2/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_0/role_2/zuul-jobs/roles - path: untrusted/project_0/github.com/vexxhost/zuul-jobs/playbooks/molecule/pre.yaml roles: - checkout: master checkout_description: project default branch link_name: ansible/pre_playbook_1/role_1/zuul-jobs link_target: untrusted/project_2/opendev.org/zuul/zuul-jobs role_path: ansible/pre_playbook_1/role_1/zuul-jobs/roles - checkout: main checkout_description: playbook branch link_name: ansible/pre_playbook_1/role_2/zuul-jobs link_target: untrusted/project_0/github.com/vexxhost/zuul-jobs role_path: ansible/pre_playbook_1/role_2/zuul-jobs/roles post_review: false post_timeout: null pre_timeout: null project: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-containers name: vexxhost/ansible-collection-containers short_name: ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers projects: github.com/vexxhost/ansible-collection-containers: canonical_hostname: github.com canonical_name: github.com/vexxhost/ansible-collection-containers checkout: main checkout_description: zuul branch commit: 38fe9a1dab65fcfa4fc8d5d6c853c7de5d837a70 name: vexxhost/ansible-collection-containers required: false short_name: ansible-collection-containers src_dir: src/github.com/vexxhost/ansible-collection-containers ref: refs/pull/98/head resources: {} tenant: oss timeout: 1800 topic: null voting: true