From d28102ad75e0cbd613d51bdc3d5fd338309a6afb Mon Sep 17 00:00:00 2001 From: Varun Sharma Date: Mon, 4 Jul 2022 13:48:23 -0700 Subject: [PATCH] ci: Add GitHub token permissions for workflows Signed-off-by: Varun Sharma --- .github/workflows/autobump.yml | 3 +++ .github/workflows/autopublish.yml | 3 +++ .github/workflows/dispatch-build-bottle.yml | 3 +++ .github/workflows/publish-commit-bottles.yml | 3 +++ .github/workflows/recreate-linux-runners.yml | 3 +++ .github/workflows/remove-disabled-formulae.yml | 3 +++ .github/workflows/tests.yml | 5 +++++ .github/workflows/triage.yml | 3 +++ 8 files changed, 26 insertions(+) diff --git a/.github/workflows/autobump.yml b/.github/workflows/autobump.yml index 9fba003aa69..760774184b8 100644 --- a/.github/workflows/autobump.yml +++ b/.github/workflows/autobump.yml @@ -840,6 +840,9 @@ env: zstd zydis +permissions: + contents: read + jobs: autobump: if: github.repository == 'Homebrew/homebrew-core' diff --git a/.github/workflows/autopublish.yml b/.github/workflows/autopublish.yml index e800d051c3c..3aae24aceb0 100644 --- a/.github/workflows/autopublish.yml +++ b/.github/workflows/autopublish.yml @@ -13,6 +13,9 @@ concurrency: env: HOMEBREW_FORCE_HOMEBREW_ON_LINUX: 1 +permissions: + contents: read + jobs: autopublish: if: github.repository == 'Homebrew/homebrew-core' diff --git a/.github/workflows/dispatch-build-bottle.yml b/.github/workflows/dispatch-build-bottle.yml index 5c7d5a60d35..cb6e93b757a 100644 --- a/.github/workflows/dispatch-build-bottle.yml +++ b/.github/workflows/dispatch-build-bottle.yml @@ -26,6 +26,9 @@ env: HOMEBREW_NO_AUTO_UPDATE: 1 HOMEBREW_CHANGE_ARCH_TO_ARM: 1 +permissions: + contents: read + jobs: prepare: runs-on: ubuntu-latest diff --git a/.github/workflows/publish-commit-bottles.yml b/.github/workflows/publish-commit-bottles.yml index 87cc33275b8..1e583778e18 100644 --- a/.github/workflows/publish-commit-bottles.yml +++ b/.github/workflows/publish-commit-bottles.yml @@ -18,6 +18,9 @@ env: HOMEBREW_DEVELOPER: 1 HOMEBREW_NO_AUTO_UPDATE: 1 +permissions: + contents: read + jobs: upload: runs-on: ${{github.event.inputs.self_hosted == 'true' && 'linux-self-hosted-1' || 'ubuntu-latest'}} diff --git a/.github/workflows/recreate-linux-runners.yml b/.github/workflows/recreate-linux-runners.yml index 816bcd1885d..971111d2c4b 100644 --- a/.github/workflows/recreate-linux-runners.yml +++ b/.github/workflows/recreate-linux-runners.yml @@ -10,6 +10,9 @@ concurrency: group: recreate-linux-runners cancel-in-progress: true +permissions: + contents: read + jobs: recreate: if: github.repository == 'Homebrew/homebrew-core' diff --git a/.github/workflows/remove-disabled-formulae.yml b/.github/workflows/remove-disabled-formulae.yml index 99092067a8e..ba0fb833853 100644 --- a/.github/workflows/remove-disabled-formulae.yml +++ b/.github/workflows/remove-disabled-formulae.yml @@ -12,6 +12,9 @@ concurrency: group: remove-disabled-formulae cancel-in-progress: true +permissions: + contents: read + jobs: remove-disabled-formulae: if: startsWith(github.repository, 'Homebrew/') diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4735cdd1c9e..026c65b2156 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -16,6 +16,9 @@ concurrency: group: "tests-${{ github.ref }}" cancel-in-progress: ${{ github.event_name == 'pull_request' }} +permissions: + contents: read + jobs: tap_syntax: if: github.repository == 'Homebrew/homebrew-core' @@ -40,6 +43,8 @@ jobs: id: formulae-detect setup_tests: + permissions: + pull-requests: read if: github.event_name == 'pull_request' && github.repository == 'Homebrew/homebrew-core' runs-on: ubuntu-latest needs: tap_syntax diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml index ae5cc7a13c7..bedf47e9fc5 100644 --- a/.github/workflows/triage.yml +++ b/.github/workflows/triage.yml @@ -6,6 +6,9 @@ concurrency: group: "triage-${{ github.event.number }}" cancel-in-progress: true +permissions: + contents: read + jobs: triage: runs-on: ubuntu-latest