Make Github workflows permissions read-only by default (#3488)

* Make Github workflows permissions read-only by default

* Pins `skx/github-action-publish-binaries` action to specific hash

diff --git a/.github/workflows/dev-long-tests.yml b/.github/workflows/dev-long-tests.yml
index 1c8c9ec555f1407c071d9368a10fa1999fe4d75a..22416e2cd67439c37f8de01b00621c7445d76fa4 100644 (file)
--- a/.github/workflows/dev-long-tests.yml
+++ b/.github/workflows/dev-long-tests.yml
@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [ dev, release, actionsTest ]
 
+permissions: read-all
+
 jobs:
   make-all:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/dev-short-tests.yml b/.github/workflows/dev-short-tests.yml
index 092c933c762e0ea3de8e262d26b634a2a4ce6bb6..eede89f8751a9b75521f23604460f5b4cb571208 100644 (file)
--- a/.github/workflows/dev-short-tests.yml
+++ b/.github/workflows/dev-short-tests.yml
@@ -10,6 +10,8 @@ on:
   pull_request:
     branches: [ dev, release, actionsTest ]
 
+permissions: read-all
+
 jobs:
   linux-kernel:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/publish-release-artifacts.yml b/.github/workflows/publish-release-artifacts.yml
index 2c89a91a55a0091bd7dde0ee42eb8ca225925300..39da42d157c2b6ce732f9ba71a300ad672089cb1 100644 (file)
--- a/.github/workflows/publish-release-artifacts.yml
+++ b/.github/workflows/publish-release-artifacts.yml
@@ -5,8 +5,7 @@ on:
     types:
       - published
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   publish-release-artifacts:
@@ -68,7 +67,7 @@ jobs:
           fi
 
       - name: Publish
-        uses: skx/github-action-publish-binaries@release-2.0
+        uses: skx/github-action-publish-binaries@b9ca5643b2f1d7371a6cba7f35333f1461bbc703 # tag=release-2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with: