From a8ffcfa1568961a1d47006e10158016f2617e4aa Mon Sep 17 00:00:00 2001 From: Joachim Bauch Date: Tue, 17 Jan 2023 11:29:54 +0100 Subject: [PATCH] CI: Setup permissions for workflows. --- .github/workflows/check-continentmap.yml | 3 +++ .github/workflows/codeql-analysis.yml | 3 +++ .github/workflows/command-rebase.yml | 5 +++++ .github/workflows/deploydocker.yml | 3 +++ .github/workflows/docker-compose.yml | 3 +++ .github/workflows/docker-janus.yml | 3 +++ .github/workflows/docker.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/tarball.yml | 3 +++ .github/workflows/test.yml | 5 +++++ 10 files changed, 34 insertions(+) diff --git a/.github/workflows/check-continentmap.yml b/.github/workflows/check-continentmap.yml index 7c3c833..b685289 100644 --- a/.github/workflows/check-continentmap.yml +++ b/.github/workflows/check-continentmap.yml @@ -4,6 +4,9 @@ on: schedule: - cron: "0 2 * * SUN" +permissions: + contents: read + jobs: check: runs-on: ubuntu-latest diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 960539c..f8f50bf 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -16,6 +16,9 @@ on: schedule: - cron: '28 2 * * 5' +permissions: + contents: read + jobs: analyze: name: Analyze diff --git a/.github/workflows/command-rebase.yml b/.github/workflows/command-rebase.yml index 05caa87..4df2ab2 100644 --- a/.github/workflows/command-rebase.yml +++ b/.github/workflows/command-rebase.yml @@ -9,9 +9,14 @@ on: issue_comment: types: created +permissions: + contents: read + jobs: rebase: runs-on: ubuntu-latest + permissions: + contents: none # On pull requests and if the comment starts with `/rebase` if: github.event.issue.pull_request != '' && startsWith(github.event.comment.body, '/rebase') diff --git a/.github/workflows/deploydocker.yml b/.github/workflows/deploydocker.yml index 10496ca..acbd85c 100644 --- a/.github/workflows/deploydocker.yml +++ b/.github/workflows/deploydocker.yml @@ -8,6 +8,9 @@ on: tags: - "v*.*.*" +permissions: + contents: read + jobs: server: runs-on: ubuntu-latest diff --git a/.github/workflows/docker-compose.yml b/.github/workflows/docker-compose.yml index aaad7ae..a19a634 100644 --- a/.github/workflows/docker-compose.yml +++ b/.github/workflows/docker-compose.yml @@ -12,6 +12,9 @@ on: - '.github/workflows/docker-compose.yml' - 'docker-compose.yml' +permissions: + contents: read + jobs: pull: runs-on: ubuntu-latest diff --git a/.github/workflows/docker-janus.yml b/.github/workflows/docker-janus.yml index c7e01c9..b7c5d5f 100644 --- a/.github/workflows/docker-janus.yml +++ b/.github/workflows/docker-janus.yml @@ -12,6 +12,9 @@ on: - '.github/workflows/docker-janus.yml' - 'docker/janus/Dockerfile' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 275b06f..78212a2 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -6,6 +6,9 @@ on: push: branches: [ master ] +permissions: + contents: read + jobs: server: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 33a55e7..c9921f8 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,6 +14,9 @@ on: - '**.go' - 'go.*' +permissions: + contents: read + jobs: lint: name: golang diff --git a/.github/workflows/tarball.yml b/.github/workflows/tarball.yml index d1ccf91..ffab7a0 100644 --- a/.github/workflows/tarball.yml +++ b/.github/workflows/tarball.yml @@ -16,6 +16,9 @@ on: - 'go.*' - 'Makefile' +permissions: + contents: read + jobs: create: strategy: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7deb177..740c150 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -16,6 +16,9 @@ on: - 'go.*' - 'Makefile' +permissions: + contents: read + jobs: go: env: @@ -87,6 +90,8 @@ jobs: parallel: true finish: + permissions: + contents: none needs: go runs-on: ubuntu-latest steps: