From 393799a0c916cd525f98996a73de23fa86227f11 Mon Sep 17 00:00:00 2001 From: Carl Zhang Date: Thu, 8 Feb 2024 00:41:17 -0500 Subject: [PATCH] ci:harden permissions for all github workflows Signed-off-by: Carl Zhang --- .github/workflows/docs.yml | 3 +++ .github/workflows/freebsd.yml | 3 +++ .github/workflows/ghpages.yml | 3 +++ .github/workflows/style.yml | 3 +++ .github/workflows/ubuntu.yml | 3 +++ .github/workflows/windows.yml | 3 +++ 6 files changed, 18 insertions(+) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index c9d324892..f826f5500 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,5 +1,8 @@ name: docs +permissions: + contents: read + on: push: paths-ignore: diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml index 8b68f561b..fadd66220 100644 --- a/.github/workflows/freebsd.yml +++ b/.github/workflows/freebsd.yml @@ -1,5 +1,8 @@ name: freebsd +permissions: + contents: read + on: [push, pull_request] jobs: diff --git a/.github/workflows/ghpages.yml b/.github/workflows/ghpages.yml index 28afcd594..b47efe6b1 100644 --- a/.github/workflows/ghpages.yml +++ b/.github/workflows/ghpages.yml @@ -1,5 +1,8 @@ name: Deploy Docs to GitHub +permissions: + contents: read + on: release: types: [published] diff --git a/.github/workflows/style.yml b/.github/workflows/style.yml index 4865a7b7f..71b76089c 100644 --- a/.github/workflows/style.yml +++ b/.github/workflows/style.yml @@ -1,5 +1,8 @@ name: style +permissions: + contents: read + on: [push, pull_request] jobs: diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 7cfc156f3..f81a204ab 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -1,5 +1,8 @@ name: ubuntu +permissions: + contents: read + on: [push, pull_request] env: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 3a044b864..df3ce5679 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -1,5 +1,8 @@ name: windows +permissions: + contents: read + on: [push, pull_request] jobs: