From 99a4b1a7865fdfb965868901701463b1a0ee7174 Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Mon, 6 Mar 2023 14:26:11 +0000 Subject: ci: set minimal permissions on GitHub Actions Change made by setting top-level read-only permisisons, and any other necessary permissions set as job-level. Closes #1421 Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/build.yml | 2 ++ .github/workflows/cifuzz.yml | 1 + .github/workflows/master.yml | 9 +++++++++ 3 files changed, 12 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 99ec32be..b031e045 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,6 +25,8 @@ on: - 'whatsnew*' - 'LICENSE' +permissions: read-all + jobs: linux-cmake-job: runs-on: ${{ matrix.os }} diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index e7ef4776..6c9b1828 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -11,6 +11,7 @@ on: push: branches: - master +permisisons: read-all jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 8f6c7b72..006daed7 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -6,8 +6,13 @@ on: branches: - master +permissions: read-all + jobs: coverage-job: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code runs-on: ubuntu-18.04 steps: - uses: actions/checkout@v2.0.0 @@ -49,6 +54,8 @@ jobs: name: coverage-build path: build abi-job: + permissions: + contents: write # for Git to git push runs-on: ubuntu-18.04 ## TODO: use docker image, but for now this is not possible without hacks ## due to even public registry require some authentication: @@ -112,6 +119,8 @@ jobs: path: /tmp/le-abi-root/work/abi-check doxygen-job: + permissions: + contents: write # for Git to git push runs-on: ubuntu-18.04 strategy: fail-fast: false -- cgit v1.2.1