From 86020adfaa0982bc2abfb177b7a98c7c16f12273 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Wed, 3 Jul 2024 08:33:45 +1200 Subject: [PATCH] ci: explicitly define permissions at the job level --- .github/workflows/checks.yml | 17 +++++++++++++++-- .github/workflows/release.yml | 21 +++++++++++++++++---- .github/workflows/semantic.yml | 19 +++++++++++++++++-- 3 files changed, 49 insertions(+), 8 deletions(-) diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 8f0e1e92..51fd7ef8 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -6,11 +6,14 @@ on: branches: - main -permissions: - contents: read # to fetch code (actions/checkout) +# Restrict jobs in this workflow to have no permissions by default; permissions +# should be granted per job as needed using a dedicated `permissions` block +permissions: {} jobs: test-ubuntu: + permissions: + contents: read # to fetch code (actions/checkout) name: Test on Ubuntu runs-on: ubuntu-latest steps: @@ -24,6 +27,8 @@ jobs: - run: make test test-macos: + permissions: + contents: read # to fetch code (actions/checkout) name: Test on MacOS runs-on: macos-latest steps: @@ -37,6 +42,8 @@ jobs: - run: make test test-windows: + permissions: + contents: read # to fetch code (actions/checkout) name: Test on Windows runs-on: windows-latest steps: @@ -50,6 +57,8 @@ jobs: - run: make test golangci-lint: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Checkout @@ -66,6 +75,8 @@ jobs: with: version: v1.55 go-fmt: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Checkout @@ -75,6 +86,8 @@ jobs: - run: make lint-with-go-fmt prettier: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Checkout diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0ea6327b..67a77eb5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,11 +5,14 @@ on: tags: - 'v*' -permissions: - contents: read # to fetch code (actions/checkout) +# Restrict jobs in this workflow to have no permissions by default; permissions +# should be granted per job as needed using a dedicated `permissions` block +permissions: {} jobs: test-ubuntu: + permissions: + contents: read # to fetch code (actions/checkout) name: Test on Ubuntu runs-on: ubuntu-latest steps: @@ -23,6 +26,8 @@ jobs: - run: make test test-macos: + permissions: + contents: read # to fetch code (actions/checkout) name: Test on MacOS runs-on: macos-latest steps: @@ -36,6 +41,8 @@ jobs: - run: make test test-windows: + permissions: + contents: read # to fetch code (actions/checkout) name: Test on Windows runs-on: windows-latest steps: @@ -49,6 +56,8 @@ jobs: - run: make test golangci-lint: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Checkout @@ -65,6 +74,8 @@ jobs: with: version: v1.55 go-fmt: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Checkout @@ -74,6 +85,8 @@ jobs: - run: make lint-with-go-fmt prettier: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - name: Checkout @@ -86,6 +99,8 @@ jobs: - run: npx prettier --prose-wrap always --check . goreleaser: + permissions: + contents: write # to create a GitHub release (goreleaser/goreleaser-action) runs-on: ubuntu-latest needs: - test-ubuntu @@ -94,8 +109,6 @@ jobs: - prettier - golangci-lint - go-fmt - permissions: - contents: write # to create a GitHub release (goreleaser/goreleaser-action) steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml index 8458dd90..0f99171c 100644 --- a/.github/workflows/semantic.yml +++ b/.github/workflows/semantic.yml @@ -18,14 +18,17 @@ on: paths: - 'generators/**' -permissions: - contents: read # to fetch code (actions/checkout) +# Restrict jobs in this workflow to have no permissions by default; permissions +# should be granted per job as needed using a dedicated `permissions` block +permissions: {} env: VERSION_GENERATOR_PRINT: ${{ inputs.filterResults }} jobs: generate-debian-versions: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -56,6 +59,8 @@ jobs: key: ${{ runner.os }}-${{ hashFiles('debian-db.zip') }} generate-packagist-versions: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -73,6 +78,8 @@ jobs: path: pkg/semantic/fixtures/packagist-versions-generated.txt generate-pypi-versions: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -91,6 +98,8 @@ jobs: path: pkg/semantic/fixtures/pypi-versions-generated.txt generate-rubygems-versions: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -109,6 +118,8 @@ jobs: path: pkg/semantic/fixtures/rubygems-versions-generated.txt generate-maven-versions: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -133,6 +144,8 @@ jobs: path: pkg/semantic/fixtures/maven-versions-generated.txt generate-cran-versions: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -149,6 +162,8 @@ jobs: path: pkg/semantic/fixtures/cran-versions-generated.txt test-semantic: + permissions: + contents: read # to fetch code (actions/checkout) runs-on: ubuntu-latest needs: - generate-debian-versions