diff options
author | sashashura <aleksandrosansan@gmail.com> | 2022-10-04 08:58:26 +0300 |
---|---|---|
committer | sashashura <aleksandrosansan@gmail.com> | 2022-10-04 08:58:26 +0300 |
commit | af330add38957e94275124d6f8b40da70bdea02f (patch) | |
tree | 2a7dc54e5bf6793b9204d89ef6b9a946297066fb /.github | |
parent | 198beb0d45ef9ae2be1f4a6d35446a2822c13d76 (diff) | |
download | rust-libc-af330add38957e94275124d6f8b40da70bdea02f.tar.gz |
Harden workflows security
Signed-off-by: Alex <aleksandrosansan@gmail.com>
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/bors.yml | 43 | ||||
-rw-r--r-- | .github/workflows/main.yml | 3 |
2 files changed, 46 insertions, 0 deletions
diff --git a/.github/workflows/bors.yml b/.github/workflows/bors.yml index ab08c167f1..b614983339 100644 --- a/.github/workflows/bors.yml +++ b/.github/workflows/bors.yml @@ -6,8 +6,13 @@ on: - auto-libc - try +permissions: {} jobs: docker_linux_tier1: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Docker Linux Tier1 runs-on: ubuntu-22.04 strategy: @@ -28,6 +33,10 @@ jobs: run: LIBC_CI=1 sh ./ci/run-docker.sh ${{ matrix.target }} macos: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: macOS runs-on: macos-12 strategy: @@ -47,6 +56,10 @@ jobs: run: LIBC_CI=1 sh ./ci/run.sh ${{ matrix.target }} windows: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Windows runs-on: windows-2022 env: @@ -83,6 +96,10 @@ jobs: shell: bash style_check: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Style check runs-on: ubuntu-22.04 steps: @@ -96,6 +113,10 @@ jobs: run: sh ci/style.sh docker_linux_tier2: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Docker Linux Tier2 needs: [docker_linux_tier1, style_check] runs-on: ubuntu-22.04 @@ -154,6 +175,10 @@ jobs: # These targets are tier 3 or otherwise need to have CI build std via -Zbuild-std. # Because of this, only the nightly compiler can be used on these targets. docker_linux_build_std: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + if: ${{ false }} # This is currently broken name: Docker Linux Build-Std Targets needs: [docker_linux_tier1, style_check] @@ -177,6 +202,10 @@ jobs: # devkitpro's pacman needs to be connected from Docker. docker_switch: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Docker Switch needs: [docker_linux_tier1, style_check] runs-on: ubuntu-22.04 @@ -191,6 +220,10 @@ jobs: run: LIBC_CI=1 sh ./ci/run-docker.sh switch build_channels_linux: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Build Channels Linux needs: docker_linux_tier2 runs-on: ubuntu-22.04 @@ -221,6 +254,9 @@ jobs: run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh build_channels_macos: + permissions: + contents: read # to fetch code (actions/checkout) + name: Build Channels macOS needs: macos runs-on: macos-12 @@ -251,6 +287,9 @@ jobs: run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh build_channels_windows: + permissions: + contents: read # to fetch code (actions/checkout) + name: Build Channels Windows runs-on: windows-2022 env: @@ -301,6 +340,10 @@ jobs: run: sh ci/semver.sh macos docs: + permissions: + actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds) + contents: read # to fetch code (actions/checkout) + name: Generate documentation runs-on: ubuntu-22.04 needs: docker_linux_tier2 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9cb5ffdc11..635d6121e6 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,6 +7,9 @@ on: branches: - master +permissions: + contents: read # to fetch code (actions/checkout) + jobs: docker_linux_tier1: name: Docker Linux Tier1 |