Browse code
gha: set permissions to read-only by default
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Sebastiaan van Stijn authored on 2024/07/29 20:22:15Showing 11 changed files
- .github/workflows/.dco.yml
- .github/workflows/.test-prepare.yml
- .github/workflows/.test.yml
- .github/workflows/.windows.yml
- .github/workflows/bin-image.yml
- .github/workflows/buildkit.yml
- .github/workflows/ci.yml
- .github/workflows/test.yml
- .github/workflows/validate-pr.yml
- .github/workflows/windows-2019.yml
- .github/workflows/windows-2022.yml
| ... | ... |
@@ -3,6 +3,15 @@ name: .dco |
| 3 | 3 |
|
| 4 | 4 |
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 |
| 5 | 5 |
|
| 6 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 7 |
+# |
|
| 8 |
+# If any permission is set, any permission not included in the list is |
|
| 9 |
+# implicitly set to "none". |
|
| 10 |
+# |
|
| 11 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 12 |
+permissions: |
|
| 13 |
+ contents: read |
|
| 14 |
+ |
|
| 6 | 15 |
on: |
| 7 | 16 |
workflow_call: |
| 8 | 17 |
|
| ... | ... |
@@ -3,6 +3,15 @@ name: .test-prepare |
| 3 | 3 |
|
| 4 | 4 |
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 |
| 5 | 5 |
|
| 6 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 7 |
+# |
|
| 8 |
+# If any permission is set, any permission not included in the list is |
|
| 9 |
+# implicitly set to "none". |
|
| 10 |
+# |
|
| 11 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 12 |
+permissions: |
|
| 13 |
+ contents: read |
|
| 14 |
+ |
|
| 6 | 15 |
on: |
| 7 | 16 |
workflow_call: |
| 8 | 17 |
outputs: |
| ... | ... |
@@ -3,6 +3,15 @@ name: .test |
| 3 | 3 |
|
| 4 | 4 |
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 |
| 5 | 5 |
|
| 6 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 7 |
+# |
|
| 8 |
+# If any permission is set, any permission not included in the list is |
|
| 9 |
+# implicitly set to "none". |
|
| 10 |
+# |
|
| 11 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 12 |
+permissions: |
|
| 13 |
+ contents: read |
|
| 14 |
+ |
|
| 6 | 15 |
on: |
| 7 | 16 |
workflow_call: |
| 8 | 17 |
inputs: |
| ... | ... |
@@ -3,6 +3,15 @@ name: .windows |
| 3 | 3 |
|
| 4 | 4 |
# TODO: hide reusable workflow from the UI. Tracked in https://github.com/community/community/discussions/12025 |
| 5 | 5 |
|
| 6 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 7 |
+# |
|
| 8 |
+# If any permission is set, any permission not included in the list is |
|
| 9 |
+# implicitly set to "none". |
|
| 10 |
+# |
|
| 11 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 12 |
+permissions: |
|
| 13 |
+ contents: read |
|
| 14 |
+ |
|
| 6 | 15 |
on: |
| 7 | 16 |
workflow_call: |
| 8 | 17 |
inputs: |
| ... | ... |
@@ -1,5 +1,14 @@ |
| 1 | 1 |
name: bin-image |
| 2 | 2 |
|
| 3 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 4 |
+# |
|
| 5 |
+# If any permission is set, any permission not included in the list is |
|
| 6 |
+# implicitly set to "none". |
|
| 7 |
+# |
|
| 8 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 9 |
+permissions: |
|
| 10 |
+ contents: read |
|
| 11 |
+ |
|
| 3 | 12 |
concurrency: |
| 4 | 13 |
group: ${{ github.workflow }}-${{ github.ref }}
|
| 5 | 14 |
cancel-in-progress: true |
| ... | ... |
@@ -1,5 +1,14 @@ |
| 1 | 1 |
name: buildkit |
| 2 | 2 |
|
| 3 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 4 |
+# |
|
| 5 |
+# If any permission is set, any permission not included in the list is |
|
| 6 |
+# implicitly set to "none". |
|
| 7 |
+# |
|
| 8 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 9 |
+permissions: |
|
| 10 |
+ contents: read |
|
| 11 |
+ |
|
| 3 | 12 |
concurrency: |
| 4 | 13 |
group: ${{ github.workflow }}-${{ github.ref }}
|
| 5 | 14 |
cancel-in-progress: true |
| ... | ... |
@@ -1,5 +1,14 @@ |
| 1 | 1 |
name: ci |
| 2 | 2 |
|
| 3 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 4 |
+# |
|
| 5 |
+# If any permission is set, any permission not included in the list is |
|
| 6 |
+# implicitly set to "none". |
|
| 7 |
+# |
|
| 8 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 9 |
+permissions: |
|
| 10 |
+ contents: read |
|
| 11 |
+ |
|
| 3 | 12 |
concurrency: |
| 4 | 13 |
group: ${{ github.workflow }}-${{ github.ref }}
|
| 5 | 14 |
cancel-in-progress: true |
| ... | ... |
@@ -1,5 +1,14 @@ |
| 1 | 1 |
name: test |
| 2 | 2 |
|
| 3 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 4 |
+# |
|
| 5 |
+# If any permission is set, any permission not included in the list is |
|
| 6 |
+# implicitly set to "none". |
|
| 7 |
+# |
|
| 8 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 9 |
+permissions: |
|
| 10 |
+ contents: read |
|
| 11 |
+ |
|
| 3 | 12 |
concurrency: |
| 4 | 13 |
group: ${{ github.workflow }}-${{ github.ref }}
|
| 5 | 14 |
cancel-in-progress: true |
| ... | ... |
@@ -1,5 +1,14 @@ |
| 1 | 1 |
name: validate-pr |
| 2 | 2 |
|
| 3 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 4 |
+# |
|
| 5 |
+# If any permission is set, any permission not included in the list is |
|
| 6 |
+# implicitly set to "none". |
|
| 7 |
+# |
|
| 8 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 9 |
+permissions: |
|
| 10 |
+ contents: read |
|
| 11 |
+ |
|
| 3 | 12 |
on: |
| 4 | 13 |
pull_request: |
| 5 | 14 |
types: [opened, edited, labeled, unlabeled] |
| ... | ... |
@@ -1,5 +1,14 @@ |
| 1 | 1 |
name: windows-2019 |
| 2 | 2 |
|
| 3 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 4 |
+# |
|
| 5 |
+# If any permission is set, any permission not included in the list is |
|
| 6 |
+# implicitly set to "none". |
|
| 7 |
+# |
|
| 8 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 9 |
+permissions: |
|
| 10 |
+ contents: read |
|
| 11 |
+ |
|
| 3 | 12 |
concurrency: |
| 4 | 13 |
group: ${{ github.workflow }}-${{ github.ref }}
|
| 5 | 14 |
cancel-in-progress: true |
| ... | ... |
@@ -1,5 +1,14 @@ |
| 1 | 1 |
name: windows-2022 |
| 2 | 2 |
|
| 3 |
+# Default to 'contents: read', which grants actions to read commits. |
|
| 4 |
+# |
|
| 5 |
+# If any permission is set, any permission not included in the list is |
|
| 6 |
+# implicitly set to "none". |
|
| 7 |
+# |
|
| 8 |
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions |
|
| 9 |
+permissions: |
|
| 10 |
+ contents: read |
|
| 11 |
+ |
|
| 3 | 12 |
concurrency: |
| 4 | 13 |
group: ${{ github.workflow }}-${{ github.ref }}
|
| 5 | 14 |
cancel-in-progress: true |