diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c88f0797f2..8c2aba343a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,8 @@ on: - stable - v* +permissions: read-all + concurrency: group: test-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/configure.yml b/.github/workflows/configure.yml index b469a69d11..4ae22281c6 100644 --- a/.github/workflows/configure.yml +++ b/.github/workflows/configure.yml @@ -9,6 +9,9 @@ on: - stable - v* +permissions: + contents: read + env: # For cmake: VERBOSE: 1 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 46489feb31..b8242ee52c 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -12,6 +12,9 @@ on: - stable - "v*" +permissions: + contents: read + env: FORCE_COLOR: 3 # For cmake: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 165a2fd87b..858a4a0e26 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,10 +3,15 @@ on: pull_request_target: types: [closed] +permissions: {} + jobs: label: name: Labeler runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/labeler@main diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml index 6d9be3b1d4..c1feb6fe10 100644 --- a/.github/workflows/pip.yml +++ b/.github/workflows/pip.yml @@ -12,6 +12,9 @@ on: types: - published +permissions: + contents: read + env: PIP_ONLY_BINARY: numpy diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index be643ddfdb..4acfbfce75 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -5,6 +5,9 @@ on: workflow_dispatch: pull_request: +permissions: + contents: read + concurrency: group: upstream-${{ github.ref }} cancel-in-progress: true