diff options
author | Diogo Teles Sant'Anna <diogoteles@google.com> | 2023-03-10 17:24:25 -0300 |
---|---|---|
committer | Diogo Teles Sant'Anna <diogoteles@google.com> | 2023-03-10 17:24:25 -0300 |
commit | 63b3a350d637ecac45423609f85a68f7a5cedc9e (patch) | |
tree | b2fe98c6d806e5b70368f3b287cf684af417d232 | |
parent | ef21b76c33aadfe67f61e378627cd63f21aab4c1 (diff) | |
download | lcms2-63b3a350d637ecac45423609f85a68f7a5cedc9e.tar.gz |
CI: set minimal permissions to GitHub Workflows
Set top-level read-only permissions to all workflows; for the jobs that
require write-permissions, give them only job-level
Closes #366
Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
-rw-r--r-- | .github/workflows/build.yml | 2 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1590df3..3197ba0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.job }}-${{ github.ref }} cancel-in-progress: true +permissions: read-all + jobs: Ubuntu: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 37da696..1527837 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,10 +14,16 @@ on: schedule: - cron: '0 6 * * 5' +permissions: read-all + jobs: analyze: name: Analyze runs-on: ubuntu-latest + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report strategy: fail-fast: false |