diff options
author | Alex <aleksandrosansan@gmail.com> | 2022-09-26 15:52:46 +0100 |
---|---|---|
committer | Bram Moolenaar <Bram@vim.org> | 2022-09-26 15:52:46 +0100 |
commit | 311df6bb0f861154e6a27144c226c805c7554a94 (patch) | |
tree | 73269e6b635854c363853400bc7135bed4095fda | |
parent | 838b746cce7ea863acdb81e3f44eec2ea90de92a (diff) | |
download | vim-git-311df6bb0f861154e6a27144c226c805c7554a94.tar.gz |
patch 9.0.0593: CI actions have too many permissionsv9.0.0593
Problem: CI actions have too many permissions.
Solution: Restrict permissions to what is required. (closes #11223)
-rw-r--r-- | .github/workflows/ci.yml | 3 | ||||
-rw-r--r-- | .github/workflows/codeql-analysis.yml | 7 | ||||
-rw-r--r-- | .github/workflows/coverity.yml | 3 | ||||
-rw-r--r-- | src/version.c | 2 |
4 files changed, 15 insertions, 0 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6c1b35953..c9889498e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: linux: runs-on: ubuntu-20.04 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index efb9e6699..efd91a4de 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,8 +21,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: analyze: + permissions: + contents: read # to fetch code (actions/checkout) + security-events: write # (github/codeql-action/autobuild) + name: Analyze runs-on: ubuntu-latest diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index ce21ab262..9cbd34b40 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -4,6 +4,9 @@ on: - cron: '42 0 * * *' # Run once per day, to avoid Coverity's submission limits workflow_dispatch: +permissions: + contents: read # to fetch code (actions/checkout) + jobs: scan: runs-on: ubuntu-20.04 diff --git a/src/version.c b/src/version.c index ab4cea34f..8f503f26e 100644 --- a/src/version.c +++ b/src/version.c @@ -700,6 +700,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ /**/ + 593, +/**/ 592, /**/ 591, |