Use minimal permissions for CI jobs (#885)

RustCrypto · Apr 3, 2023 · 13385f6 · 13385f6
1 parent 9cba5a5
commit 13385f6
Show file tree

Hide file tree

Showing 14 changed files with 40 additions and 0 deletions.
diff --git a/.github/workflows/blobby.yml b/.github/workflows/blobby.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: blobby

diff --git a/.github/workflows/block-buffer.yml b/.github/workflows/block-buffer.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: block-buffer

diff --git a/.github/workflows/block-padding.yml b/.github/workflows/block-padding.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: block-padding

diff --git a/.github/workflows/cmov.yml b/.github/workflows/cmov.yml
@@ -9,6 +9,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: cmov

diff --git a/.github/workflows/cpufeatures.yml b/.github/workflows/cpufeatures.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: cpufeatures

diff --git a/.github/workflows/dbl.yml b/.github/workflows/dbl.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: dbl

diff --git a/.github/workflows/fiat-constify.yml b/.github/workflows/fiat-constify.yml
@@ -9,6 +9,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: fiat-constify

diff --git a/.github/workflows/hex-literal.yml b/.github/workflows/hex-literal.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: hex-literal

diff --git a/.github/workflows/hybrid-array.yml b/.github/workflows/hybrid-array.yml
@@ -9,6 +9,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: hybrid-array

diff --git a/.github/workflows/inout.yml b/.github/workflows/inout.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: inout

diff --git a/.github/workflows/opaque-debug.yml b/.github/workflows/opaque-debug.yml
@@ -8,6 +8,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: opaque-debug

diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -1,4 +1,5 @@
 name: Security Audit
+
 on:
  pull_request:
  paths: Cargo.lock

diff --git a/.github/workflows/workspace.yml b/.github/workflows/workspace.yml
@@ -9,6 +9,9 @@ on:
  paths-ignore:
  - README.md
 
+permissions:
+ contents: read
+
 jobs:
  clippy:
  runs-on: ubuntu-latest

diff --git a/.github/workflows/zeroize.yml b/.github/workflows/zeroize.yml
@@ -9,6 +9,9 @@ on:
  push:
  branches: master
 
+permissions:
+ contents: read
+
 defaults:
  run:
  working-directory: zeroize