ci: specify higher permissions on a job level

filecoin-project · Apr 2, 2024 · b3c24ac · b3c24ac
1 parent e78add6
commit b3c24ac
Show file tree

Hide file tree

Showing 8 changed files with 19 additions and 16 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -16,8 +16,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:

diff --git a/.github/workflows/builtin-actor-tests.yml b/.github/workflows/builtin-actor-tests.yml
@@ -1,11 +1,15 @@
 name: Built-in Actors
+
 on:
   push:
     paths:
       - build/actors
       - build/builtin_actors_gen.go
     branches:
       - release/*
+
+permissions: {}
+
 jobs:
   release:
     name: Release Tests

diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -16,8 +16,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   check-docsgen:

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -19,8 +19,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   docker:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,9 +17,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  # This enables the workflow to create GitHub releases
-  contents: write
+permissions: {}
 
 jobs:
   build:
@@ -68,6 +66,9 @@ jobs:
             lotus-worker
   release:
     name: Release [publish=${{ startsWith(github.ref, 'refs/tags/') }}]
+    permissions:
+      # This enables the job to create and/or update GitHub releases
+      contents: write
     runs-on: ubuntu-latest
     needs: [build]
     env:

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -4,14 +4,14 @@ on:
   schedule:
   - cron: '0 12 * * *'
 
+permissions: {}
+
 jobs:
   stale:
-
-    runs-on: ubuntu-latest
     permissions:
       issues: write
       pull-requests: write
-
+    runs-on: ubuntu-latest
     steps:
     - uses: actions/stale@v9
       with:

diff --git a/.github/workflows/sync-master-main.yaml b/.github/workflows/sync-master-main.yaml
@@ -1,14 +1,16 @@
 name: sync-master-main
+
 on:
   push:
     branches:
       - master
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   sync:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,8 +16,7 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   discover: