From: Varun Sharma Date: Sat, 9 Jul 2022 14:03:23 +0000 (-0700) Subject: ci: add GitHub token permissions for workflows X-Git-Tag: openssl-3.2.0-alpha1~2403 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c6e7f427c82dfa17416a39af7661c40162d57aaf;p=thirdparty%2Fopenssl.git ci: add GitHub token permissions for workflows Signed-off-by: Varun Sharma Reviewed-by: Richard Levitte Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/18766) --- diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d2094c74bef..843ed480cd1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,6 +18,9 @@ on: [pull_request, push] # before_script: # - make="make -s" +permissions: + contents: read + jobs: check_update: runs-on: ubuntu-latest diff --git a/.github/workflows/compiler-zoo.yml b/.github/workflows/compiler-zoo.yml index 59f316a63e5..a8525258c5a 100644 --- a/.github/workflows/compiler-zoo.yml +++ b/.github/workflows/compiler-zoo.yml @@ -9,6 +9,9 @@ name: Compiler Zoo CI on: [push] +permissions: + contents: read + jobs: compiler: strategy: diff --git a/.github/workflows/coveralls.yml b/.github/workflows/coveralls.yml index c23df85acf8..ec1367d8295 100644 --- a/.github/workflows/coveralls.yml +++ b/.github/workflows/coveralls.yml @@ -12,8 +12,14 @@ on: schedule: - cron: '49 0 * * *' +permissions: + contents: read + jobs: coverage: + permissions: + checks: write # for coverallsapp/github-action to create new checks + contents: read # for actions/checkout to fetch code runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/cross-compiles.yml b/.github/workflows/cross-compiles.yml index b77c41f17e2..0b4609e57ee 100644 --- a/.github/workflows/cross-compiles.yml +++ b/.github/workflows/cross-compiles.yml @@ -9,6 +9,9 @@ name: Cross Compile on: [pull_request, push] +permissions: + contents: read + jobs: cross-compilation: strategy: diff --git a/.github/workflows/fips-checksums.yml b/.github/workflows/fips-checksums.yml index 78351981d51..176b3dea306 100644 --- a/.github/workflows/fips-checksums.yml +++ b/.github/workflows/fips-checksums.yml @@ -8,6 +8,9 @@ name: FIPS Checksums on: [pull_request] +permissions: + contents: read + jobs: compute-checksums: runs-on: ubuntu-latest diff --git a/.github/workflows/fips-label.yml b/.github/workflows/fips-label.yml index c241801b9ec..a22e9bf0692 100644 --- a/.github/workflows/fips-label.yml +++ b/.github/workflows/fips-label.yml @@ -12,8 +12,14 @@ on: types: - completed +permissions: + contents: read + jobs: apply-label: + permissions: + actions: read + pull-requests: write runs-on: ubuntu-latest if: ${{ github.event.workflow_run.event == 'pull_request' }} steps: diff --git a/.github/workflows/fips-provider.yml b/.github/workflows/fips-provider.yml index 18af712b62b..69dea41811d 100644 --- a/.github/workflows/fips-provider.yml +++ b/.github/workflows/fips-provider.yml @@ -8,6 +8,9 @@ name: Provider compat on: [push] +permissions: + contents: read + jobs: fips-provider-30: runs-on: ubuntu-latest diff --git a/.github/workflows/fuzz-checker.yml b/.github/workflows/fuzz-checker.yml index 4d3bf358847..9e5627fd031 100644 --- a/.github/workflows/fuzz-checker.yml +++ b/.github/workflows/fuzz-checker.yml @@ -9,6 +9,9 @@ name: Fuzz-checker CI on: [push] +permissions: + contents: read + jobs: fuzz-checker: strategy: diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4ad9c0c1fab..0646e5e713a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -7,6 +7,9 @@ name: CIFuzz on: [pull_request, push] +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest diff --git a/.github/workflows/os-zoo.yml b/.github/workflows/os-zoo.yml index 3e05b803d86..429cd1eb890 100644 --- a/.github/workflows/os-zoo.yml +++ b/.github/workflows/os-zoo.yml @@ -11,6 +11,9 @@ on: schedule: - cron: '0 5 * * *' +permissions: + contents: read + jobs: unix: strategy: diff --git a/.github/workflows/run-checker-ci.yml b/.github/workflows/run-checker-ci.yml index 1fa716f94ab..cfc458ac583 100644 --- a/.github/workflows/run-checker-ci.yml +++ b/.github/workflows/run-checker-ci.yml @@ -8,6 +8,9 @@ # Jobs run per pull request submission name: Run-checker CI on: [pull_request, push] +permissions: + contents: read + jobs: run-checker: strategy: diff --git a/.github/workflows/run-checker-daily.yml b/.github/workflows/run-checker-daily.yml index 923b5aa6703..da5105c8f35 100644 --- a/.github/workflows/run-checker-daily.yml +++ b/.github/workflows/run-checker-daily.yml @@ -11,6 +11,9 @@ name: Run-checker daily on: schedule: - cron: '0 6 * * *' +permissions: + contents: read + jobs: run-checker: strategy: diff --git a/.github/workflows/run-checker-merge.yml b/.github/workflows/run-checker-merge.yml index 7795ab1db25..dcc9d0d15f5 100644 --- a/.github/workflows/run-checker-merge.yml +++ b/.github/workflows/run-checker-merge.yml @@ -9,6 +9,9 @@ name: Run-checker merge # Jobs run per merge to master on: [push] +permissions: + contents: read + jobs: run-checker: strategy: diff --git a/.github/workflows/static-analysis.yml b/.github/workflows/static-analysis.yml index 6c69436c175..119733c7d25 100644 --- a/.github/workflows/static-analysis.yml +++ b/.github/workflows/static-analysis.yml @@ -12,6 +12,9 @@ on: schedule: - cron: '20 0 * * *' +permissions: + contents: read + jobs: coverity: runs-on: ubuntu-latest diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index c530ba07801..92052cf49b9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -9,6 +9,9 @@ name: Windows GitHub CI on: [pull_request, push] +permissions: + contents: read + jobs: shared: # Run a job for each of the specified target architectures: