diff options
author | Diogo Teles Sant'Anna <diogoteles@google.com> | 2023-06-16 14:57:14 (GMT) |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-06-16 14:57:14 (GMT) |
commit | 5e8a230619fc06b213fc2ad66b4a70f52429b68d (patch) | |
tree | 716811f49f8ffb8200a942ad27a32c48edc3c2fb | |
parent | 8135cc280c63f72dc1818b642a2b21a7a1b9b6dd (diff) | |
download | hdf5-5e8a230619fc06b213fc2ad66b4a70f52429b68d.zip hdf5-5e8a230619fc06b213fc2ad66b4a70f52429b68d.tar.gz hdf5-5e8a230619fc06b213fc2ad66b4a70f52429b68d.tar.bz2 |
Define minimal permissions for new GitHub workflows (#3147)
-rw-r--r-- | .github/workflows/daily-build.yml | 5 | ||||
-rw-r--r-- | .github/workflows/h5py.yml | 3 | ||||
-rw-r--r-- | .github/workflows/netcdf.yml | 3 | ||||
-rw-r--r-- | .github/workflows/release.yml | 4 |
4 files changed, 15 insertions, 0 deletions
diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 265a6c3..ec35e10 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "6 0 * * *" +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. jobs: @@ -21,6 +24,8 @@ jobs: call-workflow-release: needs: [call-workflow-tarball, call-workflow-ctest] + permissions: + contents: write # In order to allow tag creation uses: ./.github/workflows/release.yml with: file_base: ${{ needs.call-workflow-tarball.outputs.file_base }} diff --git a/.github/workflows/h5py.yml b/.github/workflows/h5py.yml index fb82dc1..63531ed 100644 --- a/.github/workflows/h5py.yml +++ b/.github/workflows/h5py.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "6 0 * * *" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/netcdf.yml b/.github/workflows/netcdf.yml index 137e5e5..37041d6 100644 --- a/.github/workflows/netcdf.yml +++ b/.github/workflows/netcdf.yml @@ -14,6 +14,9 @@ on: - 'COPYING**' - '**.md' +permissions: + contents: read + # Using concurrency to cancel any in-progress job or run concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae58434..e79dfd2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,10 @@ on: required: true type: string +# Minimal permissions to be inherited by any job that doesn't declare its own permissions +permissions: + contents: read + # Previous workflows must pass to get here so tag the commit that created the files jobs: create-tag: |