From e215a77c7481aa0eafcbb848de18376702088bd9 Mon Sep 17 00:00:00 2001 From: Jean-Christophe Morin <38703886+JeanChristopheMorinPerso@users.noreply.github.com> Date: Sat, 29 Jun 2024 11:27:41 -0400 Subject: [PATCH] Restrict permissions in GHA workflows (#1782) Signed-off-by: Jean-Christophe Morin --- .github/workflows/benchmark.yaml | 3 +++ .github/workflows/copyright.yaml | 3 +++ .github/workflows/flake8.yaml | 3 +++ .github/workflows/installation.yaml | 3 +++ .github/workflows/pypi.yaml | 5 +++++ .github/workflows/release-notice.yaml | 3 +++ .github/workflows/tests.yaml | 3 +++ 7 files changed, 23 insertions(+) diff --git a/.github/workflows/benchmark.yaml b/.github/workflows/benchmark.yaml index c8612561d..cbdec3b36 100644 --- a/.github/workflows/benchmark.yaml +++ b/.github/workflows/benchmark.yaml @@ -8,6 +8,9 @@ on: pull_request: types: [opened, synchronize, reopened, labeled] +permissions: + contents: read + jobs: run_benchmark: name: run_benchmark diff --git a/.github/workflows/copyright.yaml b/.github/workflows/copyright.yaml index 6aac610e1..641753a07 100644 --- a/.github/workflows/copyright.yaml +++ b/.github/workflows/copyright.yaml @@ -10,6 +10,9 @@ on: - '!**.md' workflow_dispatch: +permissions: + contents: read + jobs: main: name: Enforce copyright notices diff --git a/.github/workflows/flake8.yaml b/.github/workflows/flake8.yaml index f397a86fc..b0eabda88 100644 --- a/.github/workflows/flake8.yaml +++ b/.github/workflows/flake8.yaml @@ -19,6 +19,9 @@ on: - '!src/rez/vendor/**' - '!src/rez/backport/**' +permissions: + contents: read + jobs: lint: name: Run Linter diff --git a/.github/workflows/installation.yaml b/.github/workflows/installation.yaml index b820be984..577fb28b8 100644 --- a/.github/workflows/installation.yaml +++ b/.github/workflows/installation.yaml @@ -22,6 +22,9 @@ on: - '!**.md' workflow_dispatch: +permissions: + contents: read + jobs: main: name: ${{ matrix.os }} - ${{ matrix.python-version }} - ${{ matrix.method }} diff --git a/.github/workflows/pypi.yaml b/.github/workflows/pypi.yaml index a438aaf05..77593e949 100644 --- a/.github/workflows/pypi.yaml +++ b/.github/workflows/pypi.yaml @@ -3,6 +3,9 @@ on: release: types: [released] +permissions: + contents: read + jobs: publish: name: Publish to PyPI @@ -11,6 +14,8 @@ jobs: permissions: # IMPORTANT: this permission is mandatory for trusted publishing id-token: write + # Not sure if it's needed here since it's defined at the top level. + contents: read steps: - name: Checkout diff --git a/.github/workflows/release-notice.yaml b/.github/workflows/release-notice.yaml index a0184b6e3..60056a71b 100644 --- a/.github/workflows/release-notice.yaml +++ b/.github/workflows/release-notice.yaml @@ -6,6 +6,9 @@ on: # published should cover both 'released' and 'prereleased' - published +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 31c04183b..3df775505 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -26,6 +26,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: core: name: Tests