From 14edcfaffd6c2bbe487236742ae19093be9fe9dd Mon Sep 17 00:00:00 2001 From: Diogo Teles Sant'Anna Date: Thu, 18 May 2023 18:08:10 -0300 Subject: ci: set minimal permissions on GitHub Workflows (#2980) Signed-off-by: Diogo Teles Sant'Anna --- .github/workflows/clang-format-check.yml | 2 ++ .github/workflows/clang-format-fix.yml | 4 ++++ .github/workflows/cmake-ctest.yml | 3 +++ .github/workflows/codespell.yml | 2 ++ .github/workflows/daily-build.yml | 3 +++ .github/workflows/hdfeos5.yml | 3 +++ .github/workflows/main.yml | 3 +++ .github/workflows/tarball.yml | 3 +++ 8 files changed, 23 insertions(+) diff --git a/.github/workflows/clang-format-check.yml b/.github/workflows/clang-format-check.yml index 70809a1..56d2b48 100644 --- a/.github/workflows/clang-format-check.yml +++ b/.github/workflows/clang-format-check.yml @@ -1,6 +1,8 @@ name: clang-format Check on: pull_request: +permissions: + contents: read jobs: formatting-check: name: Formatting Check diff --git a/.github/workflows/clang-format-fix.yml b/.github/workflows/clang-format-fix.yml index 00d2352..5981118 100644 --- a/.github/workflows/clang-format-fix.yml +++ b/.github/workflows/clang-format-fix.yml @@ -11,11 +11,15 @@ name: clang-format Commit Changes on: workflow_dispatch: push: +permissions: + contents: read jobs: formatting-check: name: Commit Format Changes runs-on: ubuntu-latest if: "!contains(github.event.head_commit.message, 'skip-ci')" + permissions: + contents: write # In order to allow EndBug/add-and-commit to commit changes steps: - uses: actions/checkout@v3 - name: Fix C and Java formatting issues detected by clang-format diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index c21872d..02d8205 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -9,6 +9,9 @@ on: required: true type: string +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel jobs: diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index ddf1038..37294bf 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -3,6 +3,8 @@ # https://github.com/codespell-project/actions-codespell name: codespell on: [push, pull_request] +permissions: + contents: read jobs: codespell: name: Check for spelling errors diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index 0e040ca..04e52ac 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -6,6 +6,9 @@ on: schedule: - cron: "6 0 * * *" +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. jobs: diff --git a/.github/workflows/hdfeos5.yml b/.github/workflows/hdfeos5.yml index 03c9746..089e8df 100644 --- a/.github/workflows/hdfeos5.yml +++ b/.github/workflows/hdfeos5.yml @@ -19,6 +19,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build hdfeos5 diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 0711d00..8892588 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,6 +20,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }} cancel-in-progress: true +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel. We just have one job, but the matrix items defined below will # run in parallel. diff --git a/.github/workflows/tarball.yml b/.github/workflows/tarball.yml index 12f3438..e68cb64 100644 --- a/.github/workflows/tarball.yml +++ b/.github/workflows/tarball.yml @@ -11,6 +11,9 @@ on: description: "The common base name of the source tarballs" value: ${{ jobs.create_tarball.outputs.file_base }} +permissions: + contents: read + # A workflow run is made up of one or more jobs that can run sequentially or # in parallel jobs: -- cgit v0.12