Skip to content

Commit

Permalink
ci: explicitly define permissions at the job level (#255)
Browse files Browse the repository at this point in the history
  • Loading branch information
@G-Rath
G-Rath authored Jul 2, 2024
1 parent 6f91442 commit f8d5c00
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 8 deletions.
17 changes: 15 additions & 2 deletions .github/workflows/checks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,14 @@ on:
branches:
- main

permissions:
contents: read # to fetch code (actions/checkout)
# Restrict jobs in this workflow to have no permissions by default; permissions
# should be granted per job as needed using a dedicated `permissions` block
permissions: {}

jobs:
test-ubuntu:
permissions:
contents: read # to fetch code (actions/checkout)
name: Test on Ubuntu
runs-on: ubuntu-latest
steps:
Expand All @@ -24,6 +27,8 @@ jobs:

- run: make test
test-macos:
permissions:
contents: read # to fetch code (actions/checkout)
name: Test on MacOS
runs-on: macos-latest
steps:
Expand All @@ -37,6 +42,8 @@ jobs:

- run: make test
test-windows:
permissions:
contents: read # to fetch code (actions/checkout)
name: Test on Windows
runs-on: windows-latest
steps:
Expand All @@ -50,6 +57,8 @@ jobs:

- run: make test
golangci-lint:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -66,6 +75,8 @@ jobs:
with:
version: v1.55
go-fmt:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -75,6 +86,8 @@ jobs:

- run: make lint-with-go-fmt
prettier:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand Down
21 changes: 17 additions & 4 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,14 @@ on:
tags:
- 'v*'

permissions:
contents: read # to fetch code (actions/checkout)
# Restrict jobs in this workflow to have no permissions by default; permissions
# should be granted per job as needed using a dedicated `permissions` block
permissions: {}

jobs:
test-ubuntu:
permissions:
contents: read # to fetch code (actions/checkout)
name: Test on Ubuntu
runs-on: ubuntu-latest
steps:
Expand All @@ -23,6 +26,8 @@ jobs:

- run: make test
test-macos:
permissions:
contents: read # to fetch code (actions/checkout)
name: Test on MacOS
runs-on: macos-latest
steps:
Expand All @@ -36,6 +41,8 @@ jobs:

- run: make test
test-windows:
permissions:
contents: read # to fetch code (actions/checkout)
name: Test on Windows
runs-on: windows-latest
steps:
Expand All @@ -49,6 +56,8 @@ jobs:

- run: make test
golangci-lint:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -65,6 +74,8 @@ jobs:
with:
version: v1.55
go-fmt:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -74,6 +85,8 @@ jobs:

- run: make lint-with-go-fmt
prettier:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- name: Checkout
Expand All @@ -86,6 +99,8 @@ jobs:
- run: npx prettier --prose-wrap always --check .

goreleaser:
permissions:
contents: write # to create a GitHub release (goreleaser/goreleaser-action)
runs-on: ubuntu-latest
needs:
- test-ubuntu
Expand All @@ -94,8 +109,6 @@ jobs:
- prettier
- golangci-lint
- go-fmt
permissions:
contents: write # to create a GitHub release (goreleaser/goreleaser-action)
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down
19 changes: 17 additions & 2 deletions .github/workflows/semantic.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,17 @@ on:
- '.github/workflows/semantic.yml'
- 'generators/**'

permissions:
contents: read # to fetch code (actions/checkout)
# Restrict jobs in this workflow to have no permissions by default; permissions
# should be granted per job as needed using a dedicated `permissions` block
permissions: {}

env:
VERSION_GENERATOR_PRINT: ${{ inputs.filterResults }}

jobs:
generate-debian-versions:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand Down Expand Up @@ -57,6 +60,8 @@ jobs:
key: ${{ runner.os }}-${{ hashFiles('debian-db.zip') }}

generate-packagist-versions:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -74,6 +79,8 @@ jobs:
path: pkg/semantic/fixtures/packagist-versions-generated.txt

generate-pypi-versions:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -92,6 +99,8 @@ jobs:
path: pkg/semantic/fixtures/pypi-versions-generated.txt

generate-rubygems-versions:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -110,6 +119,8 @@ jobs:
path: pkg/semantic/fixtures/rubygems-versions-generated.txt

generate-maven-versions:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -134,6 +145,8 @@ jobs:
path: pkg/semantic/fixtures/maven-versions-generated.txt

generate-cran-versions:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -150,6 +163,8 @@ jobs:
path: pkg/semantic/fixtures/cran-versions-generated.txt

test-semantic:
permissions:
contents: read # to fetch code (actions/checkout)
runs-on: ubuntu-latest
needs:
- generate-debian-versions
Expand Down

0 comments on commit f8d5c00

Please sign in to comment.