diff options
| author | neilnaveen <42328488+neilnaveen@users.noreply.github.com> | 2022-06-25 01:08:13 +0000 |
|---|---|---|
| committer | Dylan Baker <dylan@pnwbakers.com> | 2022-06-24 23:46:38 -0700 |
| commit | 5f8b0487abf501a09c51387791b578a148c973e2 (patch) | |
| tree | 3104f200e004da60ff11af757e26295145acf55a /.github | |
| parent | 650cea3d08693b83892b1d63b947b7c760cdf639 (diff) | |
| download | meson-5f8b0487abf501a09c51387791b578a148c973e2.tar.gz | |
chore: Set permissions for GitHub actions
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much.
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
[Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/)
Signed-off-by: neilnaveen <42328488+neilnaveen@users.noreply.github.com>
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/file_format.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/lint.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/macos.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/msys2.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/nonative.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/os_comp.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/unusedargs_missingreturn.yml | 3 |
7 files changed, 21 insertions, 0 deletions
diff --git a/.github/workflows/file_format.yml b/.github/workflows/file_format.yml index 278fb297d..ea55f2b3e 100644 --- a/.github/workflows/file_format.yml +++ b/.github/workflows/file_format.yml @@ -6,6 +6,9 @@ concurrency: group: file_fmt-${{ github.head_ref }} cancel-in-progress: true +permissions: + contents: read + jobs: format: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4afbc848f..ffd7fa3c9 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -14,6 +14,9 @@ on: - "**.py" - ".github/workflows/lint.yml" +permissions: + contents: read + jobs: pylint: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 664c889aa..1bbb4fbb6 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -20,6 +20,9 @@ on: - ".github/workflows/macos.yml" - "run_unittests.py" +permissions: + contents: read + jobs: unittests-appleclang: runs-on: macos-latest diff --git a/.github/workflows/msys2.yml b/.github/workflows/msys2.yml index b49cd70a1..2e09abae7 100644 --- a/.github/workflows/msys2.yml +++ b/.github/workflows/msys2.yml @@ -20,6 +20,9 @@ on: - ".github/workflows/msys2.yml" - "run_unittests.py" +permissions: + contents: read + jobs: test: runs-on: windows-2019 diff --git a/.github/workflows/nonative.yml b/.github/workflows/nonative.yml index e541da3f4..32754f818 100644 --- a/.github/workflows/nonative.yml +++ b/.github/workflows/nonative.yml @@ -22,6 +22,9 @@ on: - ".github/workflows/nonative.yml" - "run*tests.py" +permissions: + contents: read + jobs: cross-only-armhf: runs-on: ubuntu-latest diff --git a/.github/workflows/os_comp.yml b/.github/workflows/os_comp.yml index 3f8e8bcc5..f38c81a48 100644 --- a/.github/workflows/os_comp.yml +++ b/.github/workflows/os_comp.yml @@ -26,6 +26,9 @@ on: - ".github/workflows/os_comp.yml" - "run_unittests.py" +permissions: + contents: read + jobs: arch: name: ${{ matrix.cfg.name }} diff --git a/.github/workflows/unusedargs_missingreturn.yml b/.github/workflows/unusedargs_missingreturn.yml index a32e28d0b..8118fb244 100644 --- a/.github/workflows/unusedargs_missingreturn.yml +++ b/.github/workflows/unusedargs_missingreturn.yml @@ -36,6 +36,9 @@ on: - "test cases/objcpp/**" - "test caes/windows/**" +permissions: + contents: read + jobs: linux: |