diff options
Diffstat (limited to '.github/workflows')
-rw-r--r-- | .github/workflows/daily-build.yml | 5 | ||||
-rw-r--r-- | .github/workflows/h5py.yml | 3 | ||||
-rw-r--r-- | .github/workflows/netcdf.yml | 3 | ||||
-rw-r--r-- | .github/workflows/release.yml | 4 |
4 files changed, 15 insertions, 0 deletions
diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 265a6c3..ec35e10 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "6 0 * * *" +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. jobs: @@ -21,6 +24,8 @@ jobs: call-workflow-release: needs: [call-workflow-tarball, call-workflow-ctest] + permissions: + contents: write # In order to allow tag creation uses: ./.github/workflows/release.yml with: file_base: ${{ needs.call-workflow-tarball.outputs.file_base }} diff --git a/.github/workflows/h5py.yml b/.github/workflows/h5py.yml index fb82dc1..63531ed 100644 --- a/.github/workflows/h5py.yml +++ b/.github/workflows/h5py.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "6 0 * * *" +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/netcdf.yml b/.github/workflows/netcdf.yml index 137e5e5..37041d6 100644 --- a/.github/workflows/netcdf.yml +++ b/.github/workflows/netcdf.yml @@ -14,6 +14,9 @@ on: - 'COPYING**' - '**.md' +permissions: + contents: read + # Using concurrency to cancel any in-progress job or run concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ae58434..e79dfd2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -17,6 +17,10 @@ on: required: true type: string +# Minimal permissions to be inherited by any job that doesn't declare its own permissions +permissions: + contents: read + # Previous workflows must pass to get here so tag the commit that created the files jobs: create-tag: |