From 1538864c122a91a71780e703beb258199862d656 Mon Sep 17 00:00:00 2001 From: Jeff Handley Date: Wed, 9 Apr 2025 21:07:57 -0700 Subject: [PATCH 1/3] Set permissions on GitHub workflows --- .github/workflows/ci.yml | 3 +++ .github/workflows/code-coverage.yml | 4 ++++ .github/workflows/markdown-link-check.yml | 11 +++++++---- .github/workflows/release.yml | 12 ++++++++++++ 4 files changed, 26 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f3a799fc0..2557b4735 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,6 +6,9 @@ on: pull_request: branches: ["main"] +permissions: + contents: read + jobs: build: strategy: diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml index d678f273b..2874db68b 100644 --- a/.github/workflows/code-coverage.yml +++ b/.github/workflows/code-coverage.yml @@ -3,6 +3,10 @@ name: Code Coverage on: workflow_call: +permissions: + contents: read + pull-requests: write + jobs: publish-coverage: runs-on: ubuntu-latest diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index 3229db07c..37d84a244 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -1,10 +1,13 @@ name: Check Markdown links on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read jobs: markdown-link-check: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 35d6053f6..b5cc934ac 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,6 +40,9 @@ jobs: runs-on: ${{ matrix.os }} + permissions: + contents: read + steps: - name: Clone the repo uses: actions/checkout@v4 @@ -64,6 +67,9 @@ jobs: env: version_suffix_args: ${{ github.event_name != 'release' && format('--version-suffix "{0}"', inputs.version_suffix_override || format('ci.{0}', github.run_number)) || '' }} + permissions: + contents: read + steps: - uses: actions/checkout@v4 @@ -89,7 +95,13 @@ jobs: publish-package: needs: build-package + runs-on: ubuntu-latest + + permissions: + contents: read + packages: write + steps: - uses: actions/checkout@v4 From 4eb811f5dd8959c8ba6aaa0ace23be0440ad5ac4 Mon Sep 17 00:00:00 2001 From: Jeff Handley Date: Wed, 9 Apr 2025 21:08:25 -0700 Subject: [PATCH 2/3] Only run markdown-link-check when markdown files are included --- .github/workflows/markdown-link-check.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index 37d84a244..065b50cf9 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -3,8 +3,10 @@ name: Check Markdown links on: push: branches: [ "main" ] + paths: "**.md" pull_request: branches: [ "main" ] + paths: "**.md" permissions: contents: read From 5922358cbf8b4f34352aac1a40c50c28aa31b11b Mon Sep 17 00:00:00 2001 From: Jeff Handley Date: Wed, 9 Apr 2025 21:34:14 -0700 Subject: [PATCH 3/3] Apply default permissions for code-coverage workflow --- .github/workflows/ci.yml | 6 +++--- .github/workflows/code-coverage.yml | 4 ---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2557b4735..74aef2c11 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,11 +6,11 @@ on: pull_request: branches: ["main"] -permissions: - contents: read - jobs: build: + permissions: + contents: read + strategy: matrix: os: [ubuntu-latest, windows-latest, macos-latest] diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml index 2874db68b..d678f273b 100644 --- a/.github/workflows/code-coverage.yml +++ b/.github/workflows/code-coverage.yml @@ -3,10 +3,6 @@ name: Code Coverage on: workflow_call: -permissions: - contents: read - pull-requests: write - jobs: publish-coverage: runs-on: ubuntu-latest