From 13385f64b2d38bf9c0bc908e577c9f9c9b5b84d9 Mon Sep 17 00:00:00 2001 From: Artyom Pavlov Date: Mon, 3 Apr 2023 19:01:58 +0000 Subject: [PATCH] Use minimal permissions for CI jobs (#885) --- .github/workflows/blobby.yml | 3 +++ .github/workflows/block-buffer.yml | 3 +++ .github/workflows/block-padding.yml | 3 +++ .github/workflows/cmov.yml | 3 +++ .github/workflows/cpufeatures.yml | 3 +++ .github/workflows/dbl.yml | 3 +++ .github/workflows/fiat-constify.yml | 3 +++ .github/workflows/hex-literal.yml | 3 +++ .github/workflows/hybrid-array.yml | 3 +++ .github/workflows/inout.yml | 3 +++ .github/workflows/opaque-debug.yml | 3 +++ .github/workflows/security-audit.yml | 1 + .github/workflows/workspace.yml | 3 +++ .github/workflows/zeroize.yml | 3 +++ 14 files changed, 40 insertions(+) diff --git a/.github/workflows/blobby.yml b/.github/workflows/blobby.yml index b7407895..eac18c91 100644 --- a/.github/workflows/blobby.yml +++ b/.github/workflows/blobby.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: blobby diff --git a/.github/workflows/block-buffer.yml b/.github/workflows/block-buffer.yml index 73cfe835..b5d10e59 100644 --- a/.github/workflows/block-buffer.yml +++ b/.github/workflows/block-buffer.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: block-buffer diff --git a/.github/workflows/block-padding.yml b/.github/workflows/block-padding.yml index 2160c150..55cd3412 100644 --- a/.github/workflows/block-padding.yml +++ b/.github/workflows/block-padding.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: block-padding diff --git a/.github/workflows/cmov.yml b/.github/workflows/cmov.yml index b2f67ad5..7f107cfe 100644 --- a/.github/workflows/cmov.yml +++ b/.github/workflows/cmov.yml @@ -9,6 +9,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: cmov diff --git a/.github/workflows/cpufeatures.yml b/.github/workflows/cpufeatures.yml index 1161033e..936e8d41 100644 --- a/.github/workflows/cpufeatures.yml +++ b/.github/workflows/cpufeatures.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: cpufeatures diff --git a/.github/workflows/dbl.yml b/.github/workflows/dbl.yml index c470862d..1b75b3aa 100644 --- a/.github/workflows/dbl.yml +++ b/.github/workflows/dbl.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: dbl diff --git a/.github/workflows/fiat-constify.yml b/.github/workflows/fiat-constify.yml index 8e4cfe11..79904b24 100644 --- a/.github/workflows/fiat-constify.yml +++ b/.github/workflows/fiat-constify.yml @@ -9,6 +9,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: fiat-constify diff --git a/.github/workflows/hex-literal.yml b/.github/workflows/hex-literal.yml index dc77aeb2..12a03c08 100644 --- a/.github/workflows/hex-literal.yml +++ b/.github/workflows/hex-literal.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: hex-literal diff --git a/.github/workflows/hybrid-array.yml b/.github/workflows/hybrid-array.yml index ae98cefb..46fe7c30 100644 --- a/.github/workflows/hybrid-array.yml +++ b/.github/workflows/hybrid-array.yml @@ -9,6 +9,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: hybrid-array diff --git a/.github/workflows/inout.yml b/.github/workflows/inout.yml index 6412ccdb..d8da0436 100644 --- a/.github/workflows/inout.yml +++ b/.github/workflows/inout.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: inout diff --git a/.github/workflows/opaque-debug.yml b/.github/workflows/opaque-debug.yml index 12a6664d..dfb4b660 100644 --- a/.github/workflows/opaque-debug.yml +++ b/.github/workflows/opaque-debug.yml @@ -8,6 +8,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: opaque-debug diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 6bc14e9e..215d0547 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -1,4 +1,5 @@ name: Security Audit + on: pull_request: paths: Cargo.lock diff --git a/.github/workflows/workspace.yml b/.github/workflows/workspace.yml index f8e79b03..80c32293 100644 --- a/.github/workflows/workspace.yml +++ b/.github/workflows/workspace.yml @@ -9,6 +9,9 @@ on: paths-ignore: - README.md +permissions: + contents: read + jobs: clippy: runs-on: ubuntu-latest diff --git a/.github/workflows/zeroize.yml b/.github/workflows/zeroize.yml index 21ffdea1..7f69a611 100644 --- a/.github/workflows/zeroize.yml +++ b/.github/workflows/zeroize.yml @@ -9,6 +9,9 @@ on: push: branches: master +permissions: + contents: read + defaults: run: working-directory: zeroize