From 9bddb95c4cb2f196b1c759d70448689e4bd5c209 Mon Sep 17 00:00:00 2001 From: Sysix Date: Mon, 20 Jan 2025 19:49:42 +0100 Subject: [PATCH] ci: fix overly broad permissions --- .github/workflows/build.yml | 2 ++ .github/workflows/bump_oxlint.yml | 4 ++++ .github/workflows/ci_security.yml | 2 ++ .github/workflows/format.yml | 2 ++ .github/workflows/generate.yml | 2 ++ .github/workflows/lint.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/test.yml | 2 ++ .github/workflows/type-check.yml | 2 ++ 9 files changed, 20 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c831dc3..ff4f0e9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,6 +8,8 @@ on: - main - 'renovate/**' +permissions: {} + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/bump_oxlint.yml b/.github/workflows/bump_oxlint.yml index 3970012..b5b8b68 100644 --- a/.github/workflows/bump_oxlint.yml +++ b/.github/workflows/bump_oxlint.yml @@ -10,9 +10,13 @@ on: env: OXLINT_PACKAGE_NAME: oxlint +permissions: {} + jobs: bump: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml index ab54240..08ceae2 100644 --- a/.github/workflows/ci_security.yml +++ b/.github/workflows/ci_security.yml @@ -13,6 +13,8 @@ on: paths: - '.github/workflows/**' +permissions: {} + jobs: zizmor: name: zizmor diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index e4f40e2..c16ce9a 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -8,6 +8,8 @@ on: - main - 'renovate/**' +permissions: {} + jobs: format: runs-on: ubuntu-latest diff --git a/.github/workflows/generate.yml b/.github/workflows/generate.yml index d03024f..e1ecda1 100644 --- a/.github/workflows/generate.yml +++ b/.github/workflows/generate.yml @@ -17,6 +17,8 @@ on: - 'scripts/**' - '.github/workflows/generate.yml' +permissions: {} + jobs: generate: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 6590c8a..8f75faf 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,8 @@ on: - main - 'renovate/**' +permissions: {} + jobs: lint: runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f0fc19d..8b7e54a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,8 @@ on: push: branches: [main] +permissions: {} + jobs: release: if: startsWith(github.event.head_commit.message, 'release') diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f5ec7e8..fa21c05 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,6 +8,8 @@ on: - main - 'renovate/**' +permissions: {} + jobs: test: runs-on: ubuntu-latest diff --git a/.github/workflows/type-check.yml b/.github/workflows/type-check.yml index 622d309..c3ea4e6 100644 --- a/.github/workflows/type-check.yml +++ b/.github/workflows/type-check.yml @@ -8,6 +8,8 @@ on: - main - 'renovate/**' +permissions: {} + jobs: type-check: runs-on: ubuntu-latest