CI: Setup permissions for workflows.

2024-06-18 05:35:01 +02:00 · 2023-01-17 11:29:54 +01:00 · 2023-01-17 11:29:54 +01:00 · a8ffcfa156
parent d8927601be
commit a8ffcfa156
10 changed files with 34 additions and 0 deletions
--- a/.github/workflows/check-continentmap.yml
+++ b/.github/workflows/check-continentmap.yml
@ -4,6 +4,9 @@ on:
  schedule:
    - cron: "0 2 * * SUN"

+permissions:
+  contents: read
+
 jobs:
  check:
    runs-on: ubuntu-latest
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -16,6 +16,9 @@ on:
  schedule:
    - cron: '28 2 * * 5'

+permissions:
+  contents: read
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/command-rebase.yml
+++ b/.github/workflows/command-rebase.yml
@ -9,9 +9,14 @@ on:
  issue_comment:
    types: created

+permissions:
+  contents: read
+
 jobs:
  rebase:
    runs-on: ubuntu-latest
+    permissions:
+      contents: none

    # On pull requests and if the comment starts with `/rebase`
    if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase')
--- a/.github/workflows/deploydocker.yml
+++ b/.github/workflows/deploydocker.yml
@ -8,6 +8,9 @@ on:
    tags:
      - "v*.*.*"

+permissions:
+  contents: read
+
 jobs:
  server:
    runs-on: ubuntu-latest
--- a/.github/workflows/docker-compose.yml
+++ b/.github/workflows/docker-compose.yml
@ -12,6 +12,9 @@ on:
      - '.github/workflows/docker-compose.yml'
      - 'docker-compose.yml'

+permissions:
+  contents: read
+
 jobs:
  pull:
    runs-on: ubuntu-latest
--- a/.github/workflows/docker-janus.yml
+++ b/.github/workflows/docker-janus.yml
@ -12,6 +12,9 @@ on:
      - '.github/workflows/docker-janus.yml'
      - 'docker/janus/Dockerfile'

+permissions:
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -6,6 +6,9 @@ on:
  push:
    branches: [ master ]

+permissions:
+  contents: read
+
 jobs:
  server:
    runs-on: ubuntu-latest
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -14,6 +14,9 @@ on:
      - '**.go'
      - 'go.*'

+permissions:
+  contents: read
+
 jobs:
  lint:
    name: golang
--- a/.github/workflows/tarball.yml
+++ b/.github/workflows/tarball.yml
@ -16,6 +16,9 @@ on:
      - 'go.*'
      - 'Makefile'

+permissions:
+  contents: read
+
 jobs:
  create:
    strategy:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -16,6 +16,9 @@ on:
      - 'go.*'
      - 'Makefile'

+permissions:
+  contents: read
+
 jobs:
  go:
    env:
@ -87,6 +90,8 @@ jobs:
        parallel: true

  finish:
+    permissions:
+      contents: none
    needs: go
    runs-on: ubuntu-latest
    steps: