From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sat, 13 Nov 2021 22:34:04 +0000 (+0000)
Subject: ci: mimic the "restricted" mode
X-Git-Tag: v250-rc1~267
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e7a966915dde2c6f25a5e7a06a4a637b04b89781;p=thirdparty%2Fsystemd.git

ci: mimic the "restricted" mode

Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
it should be enough to grant the "read contents" permission to
most of our actions. The "read metadata" permission is set impliciclty
somewhere and can't be set via the "permissions" setting:
```
The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata'
```
---

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index c446fc41ba1..887dfabf055 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -12,7 +12,8 @@ on:
       - 'src/**'
       - 'test/fuzz/**'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 6c02b1da1e5..25a1a6ebeba 100644
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -5,7 +5,8 @@
 
 name: CIFuzz
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 7b1d1217f38..a164d16fbf0 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -9,7 +9,8 @@ on:
     # Run Coverity daily at midnight
     - cron:  '0 0 * * *'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 3905b7a6438..7bceabd5ce3 100644
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -10,7 +10,8 @@ on:
       - main
       - v[0-9]+-stable
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 533c8be9680..6294742758d 100644
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -14,7 +14,8 @@ on:
       - main
       - v[0-9]+-stable
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   ci:
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 3f37fe866bc..1458732d2b8 100644
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -9,7 +9,8 @@ on:
       - main
       - v[0-9]+-stable
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build: