Skip to content

Commit

Permalink
ci: reduce workflow permissions to minimum
Browse files Browse the repository at this point in the history
  • Loading branch information
Fdawgs committed Apr 7, 2022
1 parent 1eff2a4 commit 74dd1c6
Show file tree
Hide file tree
Showing 5 changed files with 14 additions and 2 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/automerge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
workflows: ["CI"]
types: [completed]

permissions:
contents: read
pull-requests: write

jobs:
on-success:
if: >
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@ on:
# Allows this workflow to be run manually from the Actions tab
workflow_dispatch:

permissions:
contents: write
pull-requests: write

jobs:
release:
name: Create/Update Release Pull Request
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ on:
- "*.md"
types: [opened, ready_for_review, reopened, synchronize]

permissions:
contents: read

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
Expand Down
2 changes: 0 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ on:
types: [opened, ready_for_review, reopened, synchronize]

permissions:
actions: read
contents: read
security-events: write

# This allows a subsequently queued workflow run to interrupt previous runs
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/link-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ on:
# Allows this workflow to be run manually from the Actions tab
workflow_dispatch:

permissions:
contents: read

jobs:
link-check:
name: Link Check
Expand Down

0 comments on commit 74dd1c6

Please sign in to comment.