diff options
author | Diogo Teles Sant'Anna <diogoteles@google.com> | 2023-05-18 21:08:10 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-18 21:08:10 (GMT) |
commit | 14edcfaffd6c2bbe487236742ae19093be9fe9dd (patch) | |
tree | ca5f2ba69a559467f5806d912c50448b76882402 | |
parent | 482920808f1ec5f33770af1360bdf56ebec5eb8c (diff) | |
download | hdf5-14edcfaffd6c2bbe487236742ae19093be9fe9dd.zip hdf5-14edcfaffd6c2bbe487236742ae19093be9fe9dd.tar.gz hdf5-14edcfaffd6c2bbe487236742ae19093be9fe9dd.tar.bz2 |
ci: set minimal permissions on GitHub Workflows (#2980)
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
-rw-r--r-- | .github/workflows/clang-format-check.yml | 2 | ||||
-rw-r--r-- | .github/workflows/clang-format-fix.yml | 4 | ||||
-rw-r--r-- | .github/workflows/cmake-ctest.yml | 3 | ||||
-rw-r--r-- | .github/workflows/codespell.yml | 2 | ||||
-rw-r--r-- | .github/workflows/daily-build.yml | 3 | ||||
-rw-r--r-- | .github/workflows/hdfeos5.yml | 3 | ||||
-rw-r--r-- | .github/workflows/main.yml | 3 | ||||
-rw-r--r-- | .github/workflows/tarball.yml | 3 |
8 files changed, 23 insertions, 0 deletions
diff --git a/.github/workflows/clang-format-check.yml b/.github/workflows/clang-format-check.yml index 70809a1..56d2b48 100644 --- a/.github/workflows/clang-format-check.yml +++ b/.github/workflows/clang-format-check.yml @@ -1,6 +1,8 @@ name: clang-format Check on: pull_request: +permissions: + contents: read jobs: formatting-check: name: Formatting Check diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml index 00d2352..5981118 100644 --- a/.github/workflows/clang-format-fix.yml +++ b/.github/workflows/clang-format-fix.yml @@ -11,11 +11,15 @@ name: clang-format Commit Changes on: workflow_dispatch: push: +permissions: + contents: read jobs: formatting-check: name: Commit Format Changes runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, 'skip-ci')" + permissions: + contents: write # In order to allow EndBug/add-and-commit to commit changes steps: - uses: actions/checkout@v3 - name: Fix C and Java formatting issues detected by clang-format diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index c21872d..02d8205 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -9,6 +9,9 @@ on: required: true type: string +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel jobs: diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index ddf1038..37294bf 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -3,6 +3,8 @@ # https://github.com/codespell-project/actions-codespell name: codespell on: [push, pull_request] +permissions: + contents: read jobs: codespell: name: Check for spelling errors diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 0e040ca..04e52ac 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "6 0 * * *" +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. jobs: diff --git a/.github/workflows/hdfeos5.yml b/.github/workflows/hdfeos5.yml index 03c9746..089e8df 100644 --- a/.github/workflows/hdfeos5.yml +++ b/.github/workflows/hdfeos5.yml @@ -19,6 +19,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build hdfeos5 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0711d00..8892588 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} cancel-in-progress: true +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. We just have one job, but the matrix items defined below will # run in parallel. diff --git a/.github/workflows/tarball.yml b/.github/workflows/tarball.yml index 12f3438..e68cb64 100644 --- a/.github/workflows/tarball.yml +++ b/.github/workflows/tarball.yml @@ -11,6 +11,9 @@ on: description: "The common base name of the source tarballs" value: ${{ jobs.create_tarball.outputs.file_base }} +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel jobs: |