Merge pull request #1161 from step-security-bot/stepsecurity_remediat…

…ion_1664763413 [StepSecurity] ci: Harden GitHub Actions
PyO3 · Oct 3, 2022 · c3ea5d3 · c3ea5d3
2 parents edab499 + 13796ab
commit c3ea5d3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
     tags: [ 'v*' ]
   workflow_dispatch:
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   release-crates-io:
     name: Release crates.io
@@ -267,6 +270,8 @@ jobs:
           echo "::set-output name=env_url::https://pypi.org/project/maturin/$VERSION"
 
   release-github:
+    permissions:
+      contents: write  # for softprops/action-gh-release to create GitHub release
     name: Publish to GitHub releases
     runs-on: ubuntu-latest
     if: "startsWith(github.ref, 'refs/tags/')"

diff --git a/.github/workflows/update-auditwheel.yml b/.github/workflows/update-auditwheel.yml
@@ -6,8 +6,14 @@ on:
     # Run every week
     - cron: '0 0 * * 0'
 
+permissions:  # added using https://github.com/step-security/secure-workflows
+  contents: read
+
 jobs:
   update:
+    permissions:
+      contents: write  # for peter-evans/create-pull-request to create branch
+      pull-requests: write  # for peter-evans/create-pull-request to create a PR
     name: Update auditwheel policies
     runs-on: ubuntu-latest
     steps: