From cf1271889a61ac969a2b6fc0410718582bf171fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Oliver=20St=C3=B6neberg?= Date: Fri, 26 Aug 2022 23:25:07 +0200 Subject: [PATCH] reduced permissions of GitHub actions (#4403) --- .github/workflows/CI-cygwin.yml | 3 +++ .github/workflows/CI-mingw.yml | 3 +++ .github/workflows/CI-unixish-docker.yml | 3 +++ .github/workflows/CI-unixish.yml | 3 +++ .github/workflows/CI-windows.yml | 3 +++ .github/workflows/asan.yml | 3 +++ .github/workflows/buildman.yml | 3 +++ .github/workflows/clang-tidy.yml | 3 +++ .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/coverage.yml | 3 +++ .github/workflows/format.yml | 3 +++ .github/workflows/iwyu.yml | 3 +++ .github/workflows/release-windows.yml | 3 +++ .github/workflows/scriptcheck.yml | 3 +++ .github/workflows/selfcheck.yml | 3 +++ .github/workflows/tsan.yml | 3 +++ .github/workflows/ubsan.yml | 3 +++ .github/workflows/valgrind.yml | 3 +++ 18 files changed, 54 insertions(+) diff --git a/.github/workflows/CI-cygwin.yml b/.github/workflows/CI-cygwin.yml index c9f56bab0..438a753b3 100644 --- a/.github/workflows/CI-cygwin.yml +++ b/.github/workflows/CI-cygwin.yml @@ -6,6 +6,9 @@ name: CI-cygwin on: [push,pull_request] +permissions: + contents: read + defaults: run: shell: cmd diff --git a/.github/workflows/CI-mingw.yml b/.github/workflows/CI-mingw.yml index 87ace921e..685545977 100644 --- a/.github/workflows/CI-mingw.yml +++ b/.github/workflows/CI-mingw.yml @@ -6,6 +6,9 @@ name: CI-mingw on: [push,pull_request] +permissions: + contents: read + defaults: run: shell: cmd diff --git a/.github/workflows/CI-unixish-docker.yml b/.github/workflows/CI-unixish-docker.yml index d87ac3c59..239d264fc 100644 --- a/.github/workflows/CI-unixish-docker.yml +++ b/.github/workflows/CI-unixish-docker.yml @@ -4,6 +4,9 @@ name: CI-unixish-docker on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/CI-unixish.yml b/.github/workflows/CI-unixish.yml index 1e8a830ea..90f76c864 100644 --- a/.github/workflows/CI-unixish.yml +++ b/.github/workflows/CI-unixish.yml @@ -4,6 +4,9 @@ name: CI-unixish on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/CI-windows.yml b/.github/workflows/CI-windows.yml index 29515d536..8b8ae71cc 100644 --- a/.github/workflows/CI-windows.yml +++ b/.github/workflows/CI-windows.yml @@ -6,6 +6,9 @@ name: CI-windows on: [push,pull_request] +permissions: + contents: read + defaults: run: shell: cmd diff --git a/.github/workflows/asan.yml b/.github/workflows/asan.yml index 2aebeb5cc..7a4ccd9c3 100644 --- a/.github/workflows/asan.yml +++ b/.github/workflows/asan.yml @@ -4,6 +4,9 @@ name: address sanitizer on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/buildman.yml b/.github/workflows/buildman.yml index dfaf31384..3a6afc33d 100644 --- a/.github/workflows/buildman.yml +++ b/.github/workflows/buildman.yml @@ -2,6 +2,9 @@ name: Build manual on: [push, pull_request] +permissions: + contents: read + jobs: convert_via_pandoc: runs-on: ubuntu-22.04 diff --git a/.github/workflows/clang-tidy.yml b/.github/workflows/clang-tidy.yml index a0bfe9290..87c819619 100644 --- a/.github/workflows/clang-tidy.yml +++ b/.github/workflows/clang-tidy.yml @@ -4,6 +4,9 @@ name: clang-tidy on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a1a69e6c1..49602b944 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -2,6 +2,9 @@ name: "CodeQL" on: [push, pull_request] +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 67828acfb..922a3a86d 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -4,6 +4,9 @@ name: Coverage on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 383810205..3b8d1a557 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -4,6 +4,9 @@ name: format on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/iwyu.yml b/.github/workflows/iwyu.yml index f87f21ee4..080c8a8e4 100644 --- a/.github/workflows/iwyu.yml +++ b/.github/workflows/iwyu.yml @@ -4,6 +4,9 @@ name: include-what-you-use on: workflow_dispatch +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index bb7f28a04..bb0816634 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -12,6 +12,9 @@ on: - cron: '0 0 * * *' workflow_dispatch: + permissions: + contents: read + defaults: run: shell: cmd diff --git a/.github/workflows/scriptcheck.yml b/.github/workflows/scriptcheck.yml index 02cb11696..939bb57ff 100644 --- a/.github/workflows/scriptcheck.yml +++ b/.github/workflows/scriptcheck.yml @@ -4,6 +4,9 @@ name: scriptcheck on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/selfcheck.yml b/.github/workflows/selfcheck.yml index 7ee56c835..3acb541b4 100644 --- a/.github/workflows/selfcheck.yml +++ b/.github/workflows/selfcheck.yml @@ -4,6 +4,9 @@ name: selfcheck on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/tsan.yml b/.github/workflows/tsan.yml index 8b1f6451d..fc5e33a53 100644 --- a/.github/workflows/tsan.yml +++ b/.github/workflows/tsan.yml @@ -4,6 +4,9 @@ name: thread sanitizer on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/ubsan.yml b/.github/workflows/ubsan.yml index bf9b94389..9214e7d53 100644 --- a/.github/workflows/ubsan.yml +++ b/.github/workflows/ubsan.yml @@ -4,6 +4,9 @@ name: undefined behaviour sanitizers on: [push, pull_request] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/valgrind.yml b/.github/workflows/valgrind.yml index 70e59d84f..62c9f73b9 100644 --- a/.github/workflows/valgrind.yml +++ b/.github/workflows/valgrind.yml @@ -5,6 +5,9 @@ name: valgrind # on: [push, pull_request] on: workflow_dispatch +permissions: + contents: read + jobs: build: