From: Tobias Brunner Date: Wed, 27 May 2026 11:31:51 +0000 (+0200) Subject: github: Move permissions to the individual jobs X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=6f99862da8d9e72f6012aedc076aef8947d8a906;p=thirdparty%2Fstrongswan.git github: Move permissions to the individual jobs SonarQube complains about workflow-level "allow" permissions. --- diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 4d7c97fba3..bb6d2fa5ff 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -6,9 +6,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - actions: write - env: CCACHE_BASEDIR: ${{ github.workspace }} CCACHE_COMPRESS: true @@ -32,6 +29,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ubuntu-latest + permissions: + actions: write env: TEST: android # since the NDK might be newly installed, we have to use this to avoid cache misses diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml index 76d74b9492..eea8a8278b 100644 --- a/.github/workflows/cache-cleanup.yml +++ b/.github/workflows/cache-cleanup.yml @@ -2,12 +2,11 @@ name: Cache cleanup on: delete -permissions: - actions: write - jobs: cleanup: runs-on: ubuntu-slim + permissions: + actions: write steps: - env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml index 8ed484b011..5df1a84c35 100644 --- a/.github/workflows/linux.yml +++ b/.github/workflows/linux.yml @@ -6,9 +6,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - actions: write - env: # this test case does not actually test anything but tries to access system # directories that might be inaccessible on build hosts @@ -35,6 +32,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ${{ matrix.os || 'ubuntu-latest' }} + permissions: + actions: write strategy: fail-fast: false matrix: @@ -160,6 +159,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ${{ matrix.os }} + permissions: + actions: write strategy: fail-fast: false matrix: @@ -260,6 +261,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ${{ matrix.os }} + permissions: + actions: write strategy: matrix: os: [ ubuntu-22.04 ] @@ -342,6 +345,8 @@ jobs: if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ubuntu-latest container: alpine:latest + permissions: + actions: write env: TESTS_REDUCED_KEYLENGTHS: yes TEST: alpine diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index 3a5118452b..2bb052673a 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -6,9 +6,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - actions: write - env: TESTS_REDUCED_KEYLENGTHS: yes CCACHE_BASEDIR: ${{ github.workspace }} @@ -36,6 +33,8 @@ jobs: if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ${{ matrix.os }} timeout-minutes: 20 + permissions: + actions: write env: TEST: macos steps: diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index f28facbe91..988cb092e4 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -6,9 +6,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - actions: write - env: CCACHE_BASEDIR: ${{ github.workspace }} CCACHE_COMPRESS: true @@ -31,6 +28,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ubuntu-latest + permissions: + actions: write env: TEST: sonarcloud steps: diff --git a/.github/workflows/tkm.yml b/.github/workflows/tkm.yml index 44fe35e958..902e048972 100644 --- a/.github/workflows/tkm.yml +++ b/.github/workflows/tkm.yml @@ -6,9 +6,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - actions: write - env: CCACHE_DIR: ${{ github.workspace }}/.ccache CCACHE_CONTAINER: /root/.ccache @@ -32,6 +29,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ubuntu-latest + permissions: + actions: write env: TEST: tkm steps: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 039085458a..e3299eb629 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -6,9 +6,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: - actions: write - env: TESTS_REDUCED_KEYLENGTHS: yes CCACHE_COMPRESS: true @@ -34,6 +31,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: ubuntu-latest + permissions: + actions: write strategy: matrix: test: [ win64, win32 ] @@ -80,6 +79,8 @@ jobs: needs: pre-check if: ${{ needs.pre-check.outputs.should_skip != 'true' }} runs-on: windows-latest + permissions: + actions: write strategy: matrix: include: