Merge pull request #1322 from json-api-dotnet/github-actions-permissions

GitHub Actions: reduce permissions
json-api-dotnet · Sep 17, 2023 · 0ce680c · 0ce680c
2 parents 9bdcf33 + f55da1f
commit 0ce680c
Showing 1 changed file with 87 additions and 81 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -35,6 +35,8 @@ jobs:
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
     steps:
     - name: Setup PostgreSQL
       uses: ikalnytskyi/action-setup-postgres@v4
@@ -146,93 +148,97 @@ jobs:
         path: docs/_site
 
   inspect-code:
-     timeout-minutes: 60
-     strategy:
-       fail-fast: false
-       matrix:
-         os: [ubuntu-latest, windows-latest, macos-latest]
-     runs-on: ${{ matrix.os }}
-     steps:
-     - name: Git checkout
-       uses: actions/checkout@v3
-     - name: Setup .NET
-       uses: actions/setup-dotnet@v3
-       with:
-         dotnet-version: 6.0.x
-     - name: Restore tools
-       run: |
-         dotnet tool restore
-     - name: InspectCode
-       shell: pwsh
-       run: |
-         $inspectCodeOutputPath = Join-Path $env:RUNNER_TEMP 'jetbrains-inspectcode-results.xml'
-         Write-Output "INSPECT_CODE_OUTPUT_PATH=$inspectCodeOutputPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
-         dotnet jb inspectcode JsonApiDotNetCore.sln --build --output="$inspectCodeOutputPath" --profile=WarningSeverities.DotSettings --properties:Configuration=Release --properties:ContinuousIntegrationBuild=false --severity=WARNING --verbosity=WARN -dsl=GlobalAll -dsl=GlobalPerProduct -dsl=SolutionPersonal -dsl=ProjectPersonal
-     - name: Verify outcome
-       shell: pwsh
-       run: |
-         [xml]$xml = Get-Content $env:INSPECT_CODE_OUTPUT_PATH
-         if ($xml.report.Issues -and $xml.report.Issues.Project) {
-             foreach ($project in $xml.report.Issues.Project) {
-                 if ($project.Issue.Count -gt 0) {
-                     $project.ForEach({
-                         Write-Output "`nProject $($project.Name)"
-                         $failed = $true
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v3
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v3
+      with:
+        dotnet-version: 6.0.x
+    - name: Restore tools
+      run: |
+        dotnet tool restore
+    - name: InspectCode
+      shell: pwsh
+      run: |
+        $inspectCodeOutputPath = Join-Path $env:RUNNER_TEMP 'jetbrains-inspectcode-results.xml'
+        Write-Output "INSPECT_CODE_OUTPUT_PATH=$inspectCodeOutputPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
+        dotnet jb inspectcode JsonApiDotNetCore.sln --build --output="$inspectCodeOutputPath" --profile=WarningSeverities.DotSettings --properties:Configuration=Release --properties:ContinuousIntegrationBuild=false --severity=WARNING --verbosity=WARN -dsl=GlobalAll -dsl=GlobalPerProduct -dsl=SolutionPersonal -dsl=ProjectPersonal
+    - name: Verify outcome
+      shell: pwsh
+      run: |
+        [xml]$xml = Get-Content $env:INSPECT_CODE_OUTPUT_PATH
+        if ($xml.report.Issues -and $xml.report.Issues.Project) {
+            foreach ($project in $xml.report.Issues.Project) {
+                if ($project.Issue.Count -gt 0) {
+                    $project.ForEach({
+                        Write-Output "`nProject $($project.Name)"
+                        $failed = $true
 
-                         $_.Issue.ForEach({
-                             $issueType = $xml.report.IssueTypes.SelectSingleNode("IssueType[@Id='$($_.TypeId)']")
-                             $severity = $_.Severity ?? $issueType.Severity
+                        $_.Issue.ForEach({
+                            $issueType = $xml.report.IssueTypes.SelectSingleNode("IssueType[@Id='$($_.TypeId)']")
+                            $severity = $_.Severity ?? $issueType.Severity
 
-                             Write-Output "[$severity] $($_.File):$($_.Line) $($_.TypeId): $($_.Message)"
-                         })
-                     })
-                 }
-             }
+                            Write-Output "[$severity] $($_.File):$($_.Line) $($_.TypeId): $($_.Message)"
+                        })
+                    })
+                }
+            }
 
-             if ($failed) {
-                 Write-Error "One or more projects failed code inspection."
-             }
-         }
+            if ($failed) {
+                Write-Error "One or more projects failed code inspection."
+            }
+        }
 
   cleanup-code:
-     timeout-minutes: 60
-     strategy:
-       fail-fast: false
-       matrix:
-         os: [ubuntu-latest, windows-latest, macos-latest]
-     runs-on: ${{ matrix.os }}
-     steps:
-     - name: Git checkout
-       uses: actions/checkout@v3
-       with:
-         fetch-depth: 2
-     - name: Setup .NET
-       uses: actions/setup-dotnet@v3
-       with:
-         dotnet-version: 6.0.x
-     - name: Restore tools
-       run: |
-         dotnet tool restore
-     - name: Restore packages
-       run: |
-         dotnet restore
-     - name: CleanupCode (on PR diff)
-       if: github.event_name == 'pull_request'
-       shell: pwsh
-       run: |
-         # Not using the environment variables for SHAs, because they may be outdated. This may happen on force-push after the build is queued, but before it starts.
-         # The below works because HEAD is detached (at the merge commit), so HEAD~1 is at the base branch. When a PR contains no commits, this job will not run.
-         $headCommitHash = git rev-parse HEAD
-         $baseCommitHash = git rev-parse HEAD~1
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, windows-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 2
+    - name: Setup .NET
+      uses: actions/setup-dotnet@v3
+      with:
+        dotnet-version: 6.0.x
+    - name: Restore tools
+      run: |
+        dotnet tool restore
+    - name: Restore packages
+      run: |
+        dotnet restore
+    - name: CleanupCode (on PR diff)
+      if: github.event_name == 'pull_request'
+      shell: pwsh
+      run: |
+        # Not using the environment variables for SHAs, because they may be outdated. This may happen on force-push after the build is queued, but before it starts.
+        # The below works because HEAD is detached (at the merge commit), so HEAD~1 is at the base branch. When a PR contains no commits, this job will not run.
+        $headCommitHash = git rev-parse HEAD
+        $baseCommitHash = git rev-parse HEAD~1
 
-         Write-Output "Running code cleanup on commit range $baseCommitHash..$headCommitHash in pull request."
-         dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --max-runs=5 --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN -f commits -a $headCommitHash -b $baseCommitHash --fail-on-diff --print-diff
-     - name: CleanupCode (on branch)
-       if: github.event_name == 'push'
-       shell: pwsh
-       run: |
-         Write-Output "Running code cleanup on all files."
-         dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN --fail-on-diff --print-diff
+        Write-Output "Running code cleanup on commit range $baseCommitHash..$headCommitHash in pull request."
+        dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --max-runs=5 --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN -f commits -a $headCommitHash -b $baseCommitHash --fail-on-diff --print-diff
+    - name: CleanupCode (on branch)
+      if: github.event_name == 'push'
+      shell: pwsh
+      run: |
+        Write-Output "Running code cleanup on all files."
+        dotnet regitlint -s JsonApiDotNetCore.sln --print-command --skip-tool-check --jb-profile="JADNC Full Cleanup" --jb --properties:Configuration=Release --jb --verbosity=WARN --fail-on-diff --print-diff
 
   publish:
     timeout-minutes: 60