diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml index 56f53c93f..f39770b9b 100644 --- a/.github/workflows/build-image-test.yaml +++ b/.github/workflows/build-image-test.yaml @@ -2,7 +2,11 @@ name: Build Dockerfile if changed and run smoke tests -on: [pull_request] +on: + pull_request: + +permissions: + contents: read env: IMAGE_TAG: pr-test diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml index d183ef0f4..632d78d10 100644 --- a/.github/workflows/build-image.yaml +++ b/.github/workflows/build-image.yaml @@ -10,8 +10,15 @@ on: schedule: - cron: 00 00 * * * +permissions: + contents: read + jobs: docker: + permissions: + # for docker/build-push-action to publish docker image + packages: write + runs-on: ubuntu-latest steps: - name: Checkout code diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 2f3a641e8..7aca07139 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -15,6 +15,9 @@ on: pull_request: workflow_call: # a way to embed the main tests +permissions: + contents: read + concurrency: group: >- ${{ diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index b9c032372..b4ba2b43a 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -9,8 +9,17 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: + permissions: + # for amannn/action-semantic-pull-request to analyze PRs + pull-requests: read + # for amannn/action-semantic-pull-request to mark status of analyzed PR + statuses: write + name: Validate PR title runs-on: ubuntu-latest steps: diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index 3e92524dd..51fcc4e07 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -2,10 +2,16 @@ name: Common issues check -on: [pull_request] +on: + pull_request: + +permissions: + contents: read jobs: pre-commit: + permissions: + contents: write # for pre-commit/action to push back fixes to PR branch runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 307dc0615..62f720f95 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,8 +14,20 @@ on: - .pre-commit-hooks.yaml # Ignore paths - '!tests/**' + +permissions: + contents: read + jobs: release: + permissions: + # for cycjimmy/semantic-release-action to create a release + contents: write + # for cycjimmy/semantic-release-action to write comments to issues + issues: write + # for cycjimmy/semantic-release-action to write comments to PRs + pull-requests: write + name: Release runs-on: ubuntu-latest steps: @@ -34,4 +46,7 @@ jobs: @semantic-release/changelog@6.0.0 @semantic-release/git@10.0.0 env: + # Custom token for triggering Docker image build GH Workflow on release + # created by cycjimmy/semantic-release-action. Events created by + # workflows with default GITHUB_TOKEN not trigger other GH Workflow. GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }} diff --git a/.github/workflows/reusable-tox.yml b/.github/workflows/reusable-tox.yml index 90a021ce3..e95ba798a 100644 --- a/.github/workflows/reusable-tox.yml +++ b/.github/workflows/reusable-tox.yml @@ -83,6 +83,9 @@ on: description: Mandatory token for uploading to Codecov required: true +permissions: + contents: read + env: COLOR: >- # Supposedly, pytest or coveragepy use this yes diff --git a/.github/workflows/scheduled-runs.yml b/.github/workflows/scheduled-runs.yml index 9d8403cf2..88d3a6171 100644 --- a/.github/workflows/scheduled-runs.yml +++ b/.github/workflows/scheduled-runs.yml @@ -10,6 +10,9 @@ on: - cron: 3 5 * * * # run daily at 5:03 UTC workflow_dispatch: # manual trigger +permissions: + contents: read + run-name: >- 🌃 Nightly run of diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index eefcd8b16..e3f925abd 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -5,8 +5,14 @@ on: schedule: - cron: 0 0 * * * +permissions: + contents: read + jobs: stale: + permissions: + issues: write # for actions/stale to close stale issues + pull-requests: write # for actions/stale to close stale PRs runs-on: ubuntu-latest steps: - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0