From: Yonatan Komornik <11005061+yoniko@users.noreply.github.com>
Date: Tue, 14 Feb 2023 00:57:05 +0000 (-0800)
Subject: Make Github workflows permissions read-only by default (#3488)
X-Git-Tag: v1.5.5~2^2~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=727d03161f689399b7f6dbd65cd624185bf4de8c;p=thirdparty%2Fzstd.git

Make Github workflows permissions read-only by default (#3488)

* Make Github workflows permissions read-only by default

* Pins `skx/github-action-publish-binaries` action to specific hash
---

diff --git a/.github/workflows/dev-long-tests.yml b/.github/workflows/dev-long-tests.yml
index 1c8c9ec55..22416e2cd 100644
--- a/.github/workflows/dev-long-tests.yml
+++ b/.github/workflows/dev-long-tests.yml
@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [ dev, release, actionsTest ]
 
+permissions: read-all
+
 jobs:
   make-all:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/dev-short-tests.yml b/.github/workflows/dev-short-tests.yml
index 092c933c7..eede89f87 100644
--- a/.github/workflows/dev-short-tests.yml
+++ b/.github/workflows/dev-short-tests.yml
@@ -10,6 +10,8 @@ on:
   pull_request:
     branches: [ dev, release, actionsTest ]
 
+permissions: read-all
+
 jobs:
   linux-kernel:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish-release-artifacts.yml b/.github/workflows/publish-release-artifacts.yml
index 2c89a91a5..39da42d15 100644
--- a/.github/workflows/publish-release-artifacts.yml
+++ b/.github/workflows/publish-release-artifacts.yml
@@ -5,8 +5,7 @@ on:
     types:
       - published
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   publish-release-artifacts:
@@ -68,7 +67,7 @@ jobs:
           fi
 
       - name: Publish
-        uses: skx/github-action-publish-binaries@release-2.0
+        uses: skx/github-action-publish-binaries@b9ca5643b2f1d7371a6cba7f35333f1461bbc703 # tag=release-2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with: