From 67a1a9d9f3f64e360d6d68e265a986ecbbd4a951 Mon Sep 17 00:00:00 2001 From: Ashish Kurmi Date: Sun, 2 Oct 2022 14:25:10 -0700 Subject: [PATCH] ci: add minimum GitHub token permissions for workflows Signed-off-by: Ashish Kurmi --- .github/workflows/header_checks.yml | 12 ++++++++++++ .github/workflows/main.yml | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/.github/workflows/header_checks.yml b/.github/workflows/header_checks.yml index 063263e935a..6453816a320 100644 --- a/.github/workflows/header_checks.yml +++ b/.github/workflows/header_checks.yml @@ -13,8 +13,14 @@ on: - 'README.md' - 'RELEASE-NOTES.txt' +permissions: + contents: read + jobs: windows: + permissions: + actions: write # for n1hility/cancel-previous-runs to create & stop workflow runs + contents: read # for actions/checkout to fetch code name: Windows runs-on: windows-latest @@ -47,6 +53,9 @@ jobs: run: make -j2 test-headers opencl: + permissions: + actions: write # for n1hility/cancel-previous-runs to create & stop workflow runs + contents: read # for actions/checkout to fetch code name: OpenCL runs-on: ubuntu-latest @@ -64,6 +73,9 @@ jobs: echo "STAN_OPENCL=true" > make/local make -j2 test-headers no_range_checks: + permissions: + actions: write # for n1hility/cancel-previous-runs to create & stop workflow runs + contents: read # for actions/checkout to fetch code name: NoRange runs-on: ubuntu-latest diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 94635289116..5efa4756d30 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -12,8 +12,14 @@ on: - 'LICENSE.md' - 'README.md' - 'RELEASE-NOTES.txt' +permissions: + contents: read + jobs: prim-rev: + permissions: + actions: write # for n1hility/cancel-previous-runs to create & stop workflow runs + contents: read # for actions/checkout to fetch code name: prim and rev tests runs-on: windows-latest