diff options
| author | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2022-11-28 16:50:41 +0900 |
|---|---|---|
| committer | Hiroshi SHIBATA <hsbt@ruby-lang.org> | 2022-11-28 18:28:31 +0900 |
| commit | 8bac8772df7d202ce290a8e056a680fd5b8c9d23 (patch) | |
| tree | 1deca2e3ea6c5e78f2c0882c7de05b911d2588bf /.github | |
| parent | 906a2f067dfc806b7412c7cd79bb7462fc8c7827 (diff) | |
Added permission restrictions for GitHub actions
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/6821
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/auto_request_review.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/baseruby.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/check_dependencies.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/check_misc.yml | 5 | ||||
| -rw-r--r-- | .github/workflows/cirrus-notify.yml | 4 | ||||
| -rw-r--r-- | .github/workflows/compilers.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/macos.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/mingw.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/mjit-bindgen.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/mjit.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/spec_guards.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/ubuntu.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/windows.yml | 3 | ||||
| -rw-r--r-- | .github/workflows/yjit-ubuntu.yml | 3 |
14 files changed, 46 insertions, 0 deletions
diff --git a/.github/workflows/auto_request_review.yml b/.github/workflows/auto_request_review.yml index e0f4b587f0..6d8edd5c22 100644 --- a/.github/workflows/auto_request_review.yml +++ b/.github/workflows/auto_request_review.yml @@ -2,6 +2,10 @@ name: Auto Request Review on: pull_request_target: types: [opened, ready_for_review, reopened] + +permissions: + contents: read + jobs: auto-request-review: name: Auto Request Review diff --git a/.github/workflows/baseruby.yml b/.github/workflows/baseruby.yml index 590670e488..5774a2d302 100644 --- a/.github/workflows/baseruby.yml +++ b/.github/workflows/baseruby.yml @@ -22,6 +22,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: baseruby: name: BASERUBY diff --git a/.github/workflows/check_dependencies.yml b/.github/workflows/check_dependencies.yml index 797b1a04a3..cf9b5e8b60 100644 --- a/.github/workflows/check_dependencies.yml +++ b/.github/workflows/check_dependencies.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: update-deps: strategy: diff --git a/.github/workflows/check_misc.yml b/.github/workflows/check_misc.yml index 1b4cdf8012..da59ceda9a 100644 --- a/.github/workflows/check_misc.yml +++ b/.github/workflows/check_misc.yml @@ -5,8 +5,13 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: checks: + permissions: + contents: write # for Git to git push runs-on: ubuntu-latest steps: - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 diff --git a/.github/workflows/cirrus-notify.yml b/.github/workflows/cirrus-notify.yml index 45aefa78cd..c78f21d258 100644 --- a/.github/workflows/cirrus-notify.yml +++ b/.github/workflows/cirrus-notify.yml @@ -2,6 +2,10 @@ on: check_suite: type: ['completed'] name: Cirrus CI failure notification + +permissions: + contents: read + jobs: cirrus-notify: name: After Cirrus CI Failure diff --git a/.github/workflows/compilers.yml b/.github/workflows/compilers.yml index af56ebb6f1..b6db2138fd 100644 --- a/.github/workflows/compilers.yml +++ b/.github/workflows/compilers.yml @@ -60,6 +60,9 @@ env: --color=always --tty=no +permissions: + contents: read + jobs: compile: strategy: diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml index f8809f7cc9..92ea46388e 100644 --- a/.github/workflows/macos.yml +++ b/.github/workflows/macos.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: make: strategy: diff --git a/.github/workflows/mingw.yml b/.github/workflows/mingw.yml index e1af98c250..485147b4d0 100644 --- a/.github/workflows/mingw.yml +++ b/.github/workflows/mingw.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + # Notes: # Actions console encoding causes issues, see test-all & test-spec steps # diff --git a/.github/workflows/mjit-bindgen.yml b/.github/workflows/mjit-bindgen.yml index fa8af3de6f..7ffc979d55 100644 --- a/.github/workflows/mjit-bindgen.yml +++ b/.github/workflows/mjit-bindgen.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: make: strategy: diff --git a/.github/workflows/mjit.yml b/.github/workflows/mjit.yml index 7b5b581b71..f2fd9ad076 100644 --- a/.github/workflows/mjit.yml +++ b/.github/workflows/mjit.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: make: strategy: diff --git a/.github/workflows/spec_guards.yml b/.github/workflows/spec_guards.yml index 41c7d5badf..a2f541ff3d 100644 --- a/.github/workflows/spec_guards.yml +++ b/.github/workflows/spec_guards.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: rubyspec: name: Rubyspec diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml index 0e3580bebf..f5b259c84a 100644 --- a/.github/workflows/ubuntu.yml +++ b/.github/workflows/ubuntu.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: make: strategy: diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml index 0eb6fc0212..674f627ef9 100644 --- a/.github/workflows/windows.yml +++ b/.github/workflows/windows.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: make: strategy: diff --git a/.github/workflows/yjit-ubuntu.yml b/.github/workflows/yjit-ubuntu.yml index eeb2b65630..6b18872c93 100644 --- a/.github/workflows/yjit-ubuntu.yml +++ b/.github/workflows/yjit-ubuntu.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }} / ${{ startsWith(github.event_name, 'pull') && github.ref_name || github.sha }} cancel-in-progress: ${{ startsWith(github.event_name, 'pull') }} +permissions: + contents: read + jobs: cargo: name: Rust cargo test |