summaryrefslogtreecommitdiffstats
path: root/.github/workflows
diff options
context:
space:
mode:
Diffstat (limited to '.github/workflows')
-rw-r--r--.github/workflows/daily-build.yml5
-rw-r--r--.github/workflows/h5py.yml3
-rw-r--r--.github/workflows/netcdf.yml3
-rw-r--r--.github/workflows/release.yml4
4 files changed, 15 insertions, 0 deletions
diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml
index 265a6c3..ec35e10 100644
--- a/.github/workflows/daily-build.yml
+++ b/.github/workflows/daily-build.yml
@@ -6,6 +6,9 @@ on:
schedule:
- cron: "6 0 * * *"
+permissions:
+ contents: read
+
# A workflow run is made up of one or more jobs that can run sequentially or
# in parallel.
jobs:
@@ -21,6 +24,8 @@ jobs:
call-workflow-release:
needs: [call-workflow-tarball, call-workflow-ctest]
+ permissions:
+ contents: write # In order to allow tag creation
uses: ./.github/workflows/release.yml
with:
file_base: ${{ needs.call-workflow-tarball.outputs.file_base }}
diff --git a/.github/workflows/h5py.yml b/.github/workflows/h5py.yml
index fb82dc1..63531ed 100644
--- a/.github/workflows/h5py.yml
+++ b/.github/workflows/h5py.yml
@@ -4,6 +4,9 @@ on:
schedule:
- cron: "6 0 * * *"
+permissions:
+ contents: read
+
jobs:
build:
runs-on: ubuntu-latest
diff --git a/.github/workflows/netcdf.yml b/.github/workflows/netcdf.yml
index 137e5e5..37041d6 100644
--- a/.github/workflows/netcdf.yml
+++ b/.github/workflows/netcdf.yml
@@ -14,6 +14,9 @@ on:
- 'COPYING**'
- '**.md'
+permissions:
+ contents: read
+
# Using concurrency to cancel any in-progress job or run
concurrency:
group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ae58434..e79dfd2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,6 +17,10 @@ on:
required: true
type: string
+# Minimal permissions to be inherited by any job that doesn't declare its own permissions
+permissions:
+ contents: read
+
# Previous workflows must pass to get here so tag the commit that created the files
jobs:
create-tag: