Merge pull request #20468 from sashashura/patch-1

GitHub Workflows security hardening
2025-02-13 14:13:18 +08:00 · 2022-09-26 09:48:32 +09:00 · 2022-09-26 09:48:32 +09:00 · 1eaaf80b99
commit 1eaaf80b99
parent f6b635a8fe 68f62ca9cd
3 changed files with 10 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -4,6 +4,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  inspect-code:
    name: Code Quality
--- a/.github/workflows/report-nunit.yml
+++ b/.github/workflows/report-nunit.yml
@ -8,8 +8,12 @@ on:
    workflows: ["Continuous Integration"]
    types:
      - completed
+permissions: {}
 jobs:
  annotate:
+    permissions:
+      checks: write # to create checks (dorny/test-reporter)
+
    name: Annotate CI run with test results
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion != 'cancelled' }}
--- a/.github/workflows/sentry-release.yml
+++ b/.github/workflows/sentry-release.yml
@ -5,6 +5,9 @@ on:
    tags:
      - '*'

+permissions:
+  contents: read # to fetch code (actions/checkout)
+
 jobs:
  sentry_release:
    runs-on: ubuntu-latest