Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: set minimal permissions on GitHub Workflows #2980

Merged
merged 1 commit into from
May 18, 2023
+23 −0
Merged

ci: set minimal permissions on GitHub Workflows #2980

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/clang-format-check.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
name: clang-format Check
on:
pull_request:
permissions:
contents: read
jobs:
formatting-check:
name: Formatting Check
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/clang-format-fix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,15 @@ name: clang-format Commit Changes
on:
workflow_dispatch:
push:
permissions:
contents: read
jobs:
formatting-check:
name: Commit Format Changes
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, 'skip-ci')"
permissions:
contents: write # In order to allow EndBug/add-and-commit to commit changes
steps:
- uses: actions/checkout@v3
- name: Fix C and Java formatting issues detected by clang-format
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/cmake-ctest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,9 @@ on:
required: true
type: string

permissions:
contents: read

# A workflow run is made up of one or more jobs that can run sequentially or
# in parallel
jobs:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/codespell.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@
# https://github.com/codespell-project/actions-codespell
name: codespell
on: [push, pull_request]
permissions:
contents: read
jobs:
codespell:
name: Check for spelling errors
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/daily-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
schedule:
- cron: "6 0 * * *"

permissions:
contents: read

# A workflow run is made up of one or more jobs that can run sequentially or
# in parallel.
jobs:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/hdfeos5.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }}
cancel-in-progress: true

permissions:
contents: read

jobs:
build:
name: Build hdfeos5
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ concurrency:
group: ${{ github.workflow }}-${{ github.sha || github.event.pull_request.number }}
cancel-in-progress: true

permissions:
contents: read

# A workflow run is made up of one or more jobs that can run sequentially or
# in parallel. We just have one job, but the matrix items defined below will
# run in parallel.
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/tarball.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
description: "The common base name of the source tarballs"
value: ${{ jobs.create_tarball.outputs.file_base }}

permissions:
contents: read

# A workflow run is made up of one or more jobs that can run sequentially or
# in parallel
jobs:
Expand Down