diff options
author | Evgeny Vereshchagin <evvers@ya.ru> | 2021-11-14 09:41:42 +0000 |
---|---|---|
committer | Evgeny Vereshchagin <evvers@ya.ru> | 2021-11-14 10:51:07 +0000 |
commit | 510afa460acad51a05e627f61d62a33f066b78da (patch) | |
tree | 56e3b20896538e2b2ad40b1e5c0711fc6e34fd69 /.github | |
parent | b3a1fb795a75a82f3be1325031872dfe61cc2593 (diff) | |
download | systemd-510afa460acad51a05e627f61d62a33f066b78da.tar.gz |
ci: tighten codeql and labeler even more
by moving the read permissions to the top level and
granting additional permissions to the specific jobs.
It should help to prevent new jobs that could be added
there eventually from having write access to resources they
most likely would never need.
Diffstat (limited to '.github')
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 4 | ||||
-rw-r--r-- | .github/workflows/labeler.yml | 3 |
2 files changed, 5 insertions, 2 deletions
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c003cc5179..460002eaeb 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -11,6 +11,9 @@ on: schedule: - cron: '0 1 * * *' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -20,7 +23,6 @@ jobs: cancel-in-progress: true permissions: actions: read - contents: read security-events: write strategy: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 800f8877a3..34d9d63d42 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -9,11 +9,12 @@ on: permissions: contents: read - pull-requests: write jobs: triage: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/labeler@69da01b8e0929f147b8943611bee75ee4175a49e with: |