From 6485c762044ee5e70b3dc46f4ab870546c8848eb Mon Sep 17 00:00:00 2001 From: Anton-4 <17049058+Anton-4@users.noreply.github.com> Date: Fri, 21 Mar 2025 11:46:06 +0100 Subject: [PATCH 1/3] set permissions --- .github/workflows/ci.yml | 4 ++++ .github/workflows/ci_nix.yml | 3 +++ .github/workflows/deploy-docs.yml | 7 +++++++ .github/workflows/test_latest_release.yml | 4 ++++ 4 files changed, 18 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c697828..51561d03 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: + contents: read + jobs: build-and-test-native: runs-on: ${{ matrix.operating-system }} diff --git a/.github/workflows/ci_nix.yml b/.github/workflows/ci_nix.yml index 41386752..f5fed6b0 100644 --- a/.github/workflows/ci_nix.yml +++ b/.github/workflows/ci_nix.yml @@ -7,6 +7,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: {} + jobs: build-and-test-nix: strategy: diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index fe38caad..42d67564 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -17,12 +17,19 @@ concurrency: group: "pages" cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: + contents: read + jobs: deploy: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} runs-on: ubuntu-24.04 + permissions: + pages: write + id-token: write steps: - name: Checkout uses: actions/checkout@v4 diff --git a/.github/workflows/test_latest_release.yml b/.github/workflows/test_latest_release.yml index 64b1c4cb..2251bffb 100644 --- a/.github/workflows/test_latest_release.yml +++ b/.github/workflows/test_latest_release.yml @@ -6,6 +6,10 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +# Do not add permissions here! Configure them at the job level! +permissions: + contents: read + jobs: test-latest-release: runs-on: [ubuntu-22.04] From 993e2980aa03028565b52cadfadc5d0da91a72e8 Mon Sep 17 00:00:00 2001 From: Anton-4 <17049058+Anton-4@users.noreply.github.com> Date: Fri, 21 Mar 2025 11:47:07 +0100 Subject: [PATCH 2/3] forgot some old permissions --- .github/workflows/deploy-docs.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml index 42d67564..f1a52539 100644 --- a/.github/workflows/deploy-docs.yml +++ b/.github/workflows/deploy-docs.yml @@ -7,11 +7,6 @@ on: workflow_dispatch: -permissions: - contents: read - pages: write - id-token: write - # this cancels workflows currently in progress if you start a new one concurrency: group: "pages" From 44fec27d64d68f94eefbcce03d21b94f8e30845f Mon Sep 17 00:00:00 2001 From: Anton-4 <17049058+Anton-4@users.noreply.github.com> Date: Fri, 21 Mar 2025 11:54:48 +0100 Subject: [PATCH 3/3] further restrict permissions --- .github/workflows/ci.yml | 3 +-- .github/workflows/test_latest_release.yml | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 51561d03..df63c876 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,8 +8,7 @@ concurrency: cancel-in-progress: true # Do not add permissions here! Configure them at the job level! -permissions: - contents: read +permissions: {} jobs: build-and-test-native: diff --git a/.github/workflows/test_latest_release.yml b/.github/workflows/test_latest_release.yml index 2251bffb..adddebbe 100644 --- a/.github/workflows/test_latest_release.yml +++ b/.github/workflows/test_latest_release.yml @@ -7,8 +7,7 @@ concurrency: cancel-in-progress: true # Do not add permissions here! Configure them at the job level! -permissions: - contents: read +permissions: {} jobs: test-latest-release: