From 3ca4faceb5479a81f98a6e519886b22871eecf28 Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 10 Apr 2023 21:16:20 +0000 Subject: [PATCH 1/2] Add top-level read-only token permissions Signed-off-by: Pedro Kaj Kjellerup Nacht --- .github/workflows/apidiff.yaml | 5 ++++- .github/workflows/assign.yaml | 3 +++ .github/workflows/lint.yaml | 5 ++++- .github/workflows/tests.yaml | 29 ++++++++++++++++------------- 4 files changed, 27 insertions(+), 15 deletions(-) diff --git a/.github/workflows/apidiff.yaml b/.github/workflows/apidiff.yaml index a76a30c..1233fb0 100644 --- a/.github/workflows/apidiff.yaml +++ b/.github/workflows/apidiff.yaml @@ -1,6 +1,9 @@ name: Run apidiff -on: [ pull_request ] +on: [pull_request] + +permissions: + contents: read jobs: apidiff: diff --git a/.github/workflows/assign.yaml b/.github/workflows/assign.yaml index e1bfb97..cdf6f15 100644 --- a/.github/workflows/assign.yaml +++ b/.github/workflows/assign.yaml @@ -6,6 +6,9 @@ on: pull_request_target: types: [opened, reopened] +permissions: + contents: read + jobs: assign: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index c46cb8b..74a4d11 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,6 +1,9 @@ name: Run lint -on: [ push, pull_request ] +on: [push, pull_request] + +permissions: + contents: read jobs: lint: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 2b7f2b5..d126821 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,22 +1,25 @@ name: Run tests -on: [ push, pull_request ] +on: [push, pull_request] + +permissions: + contents: read jobs: test: strategy: matrix: - version: [ '1.15', '1.16', '1.17', '1.18' ] - platform: [ ubuntu-latest, macos-latest, windows-latest ] + version: ["1.15", "1.16", "1.17", "1.18"] + platform: [ubuntu-latest, macos-latest, windows-latest] runs-on: ${{ matrix.platform }} steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.version }} - - name: Checkout code - uses: actions/checkout@v2 - - name: Build - run: go build -v ./... - - name: Test - run: go test -v -race ./... + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.version }} + - name: Checkout code + uses: actions/checkout@v2 + - name: Build + run: go build -v ./... + - name: Test + run: go test -v -race ./... From b496ce5f8ead5ff2f71a926aedd033c07f68cbee Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Mon, 10 Apr 2023 21:21:16 +0000 Subject: [PATCH 2/2] Add write permissions to assign.yaml Signed-off-by: Pedro Kaj Kjellerup Nacht --- .github/workflows/apidiff.yaml | 2 +- .github/workflows/assign.yaml | 3 +++ .github/workflows/lint.yaml | 2 +- .github/workflows/tests.yaml | 26 +++++++++++++------------- 4 files changed, 18 insertions(+), 15 deletions(-) diff --git a/.github/workflows/apidiff.yaml b/.github/workflows/apidiff.yaml index 1233fb0..bc5dc34 100644 --- a/.github/workflows/apidiff.yaml +++ b/.github/workflows/apidiff.yaml @@ -1,6 +1,6 @@ name: Run apidiff -on: [pull_request] +on: [ pull_request ] permissions: contents: read diff --git a/.github/workflows/assign.yaml b/.github/workflows/assign.yaml index cdf6f15..4a33f54 100644 --- a/.github/workflows/assign.yaml +++ b/.github/workflows/assign.yaml @@ -12,6 +12,9 @@ permissions: jobs: assign: runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write steps: - uses: actions/github-script@v6 with: diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 74a4d11..b5bb027 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,6 +1,6 @@ name: Run lint -on: [push, pull_request] +on: [ push, pull_request ] permissions: contents: read diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index d126821..567e76d 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -1,6 +1,6 @@ name: Run tests -on: [push, pull_request] +on: [ push, pull_request ] permissions: contents: read @@ -9,17 +9,17 @@ jobs: test: strategy: matrix: - version: ["1.15", "1.16", "1.17", "1.18"] - platform: [ubuntu-latest, macos-latest, windows-latest] + version: [ '1.15', '1.16', '1.17', '1.18' ] + platform: [ ubuntu-latest, macos-latest, windows-latest ] runs-on: ${{ matrix.platform }} steps: - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: ${{ matrix.version }} - - name: Checkout code - uses: actions/checkout@v2 - - name: Build - run: go build -v ./... - - name: Test - run: go test -v -race ./... + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: ${{ matrix.version }} + - name: Checkout code + uses: actions/checkout@v2 + - name: Build + run: go build -v ./... + - name: Test + run: go test -v -race ./...