From 3806bea3ef0cd2434180012e2ab496cf79d30927 Mon Sep 17 00:00:00 2001 From: Cunliang Geng Date: Fri, 12 Jul 2024 16:27:59 +0200 Subject: [PATCH] add token permissions to github actions --- .github/workflows/build.yml | 3 +++ .github/workflows/cffconvert.yml | 3 +++ .github/workflows/format-typing-check.yml | 3 +++ .github/workflows/markdown-link-check.yml | 3 +++ .github/workflows/publish_gh_release.yml | 7 +++++++ .github/workflows/sonar-cloud.yml | 2 ++ 6 files changed, 21 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3226cf5a..adedd262 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,8 @@ name: Build and test Python package +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/cffconvert.yml b/.github/workflows/cffconvert.yml index 83d64d8b..130e4e37 100644 --- a/.github/workflows/cffconvert.yml +++ b/.github/workflows/cffconvert.yml @@ -1,5 +1,8 @@ name: cffconvert +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/format-typing-check.yml b/.github/workflows/format-typing-check.yml index aa336147..9acbba09 100644 --- a/.github/workflows/format-typing-check.yml +++ b/.github/workflows/format-typing-check.yml @@ -1,5 +1,8 @@ name: Check format and static typing +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index fe44e99e..c309e466 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -1,5 +1,8 @@ name: markdown-link-check +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/publish_gh_release.yml b/.github/workflows/publish_gh_release.yml index 759c6467..12fc7cd2 100644 --- a/.github/workflows/publish_gh_release.yml +++ b/.github/workflows/publish_gh_release.yml @@ -1,6 +1,13 @@ name: Draft or publish Github release # this action will automatically create a tag for the latest commit +permissions: + actions: write + contents: write + packages: write + pull-requests: write + statuses: read + on: workflow_dispatch: inputs: diff --git a/.github/workflows/sonar-cloud.yml b/.github/workflows/sonar-cloud.yml index 7db713ed..9fca32b6 100644 --- a/.github/workflows/sonar-cloud.yml +++ b/.github/workflows/sonar-cloud.yml @@ -1,5 +1,7 @@ name: Check coverage +permissions: read-all + on: push: branches: