Skip to content

Commit 3fc8dee

Browse files
per1234per1234
authored
Merge pull request #566 from per1234/permissions
Configure permissions of `GITHUB_TOKEN` in workflows
2 parents 5821fab + 95b5035 commit 3fc8dee

21 files changed

+83
-0
lines changed

.github/workflows/check-certificates.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ jobs:
2727
(github.event_name != 'pull_request' && github.repository == 'arduino/arduino-lint') ||
2828
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'arduino/arduino-lint')
2929
runs-on: ubuntu-latest
30+
permissions: {}
3031
strategy:
3132
fail-fast: false
3233

.github/workflows/check-code-generation-task.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ jobs:
2828
runs-on: ubuntu-latest
2929
outputs:
3030
result: ${{ steps.determination.outputs.result }}
31+
permissions: {}
3132
steps:
3233
- name: Determine if the rest of the workflow should run
3334
id: determination
@@ -51,6 +52,7 @@ jobs:
5152
needs: run-determination
5253
if: needs.run-determination.outputs.result == 'true'
5354
runs-on: ubuntu-latest
55+
permissions: {}
5456

5557
steps:
5658
- name: Checkout local repository

.github/workflows/check-general-formatting-task.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ on:
1414
jobs:
1515
check:
1616
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
1719

1820
steps:
1921
- name: Set environment variables

.github/workflows/check-go-dependencies-task.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ on:
3737
jobs:
3838
run-determination:
3939
runs-on: ubuntu-latest
40+
permissions: {}
4041
outputs:
4142
result: ${{ steps.determination.outputs.result }}
4243
steps:
@@ -62,6 +63,8 @@ jobs:
6263
needs: run-determination
6364
if: needs.run-determination.outputs.result == 'true'
6465
runs-on: ubuntu-latest
66+
permissions:
67+
contents: read
6568

6669
steps:
6770
- name: Checkout repository
@@ -118,6 +121,8 @@ jobs:
118121
needs: run-determination
119122
if: needs.run-determination.outputs.result == 'true'
120123
runs-on: ubuntu-latest
124+
permissions:
125+
contents: read
121126

122127
steps:
123128
- name: Checkout repository

.github/workflows/check-go-task.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ on:
2828
jobs:
2929
run-determination:
3030
runs-on: ubuntu-latest
31+
permissions: {}
3132
outputs:
3233
result: ${{ steps.determination.outputs.result }}
3334
steps:
@@ -54,6 +55,8 @@ jobs:
5455
needs: run-determination
5556
if: needs.run-determination.outputs.result == 'true'
5657
runs-on: ubuntu-latest
58+
permissions:
59+
contents: read
5760

5861
strategy:
5962
fail-fast: false
@@ -89,6 +92,8 @@ jobs:
8992
needs: run-determination
9093
if: needs.run-determination.outputs.result == 'true'
9194
runs-on: ubuntu-latest
95+
permissions:
96+
contents: read
9297

9398
strategy:
9499
fail-fast: false
@@ -127,6 +132,8 @@ jobs:
127132
needs: run-determination
128133
if: needs.run-determination.outputs.result == 'true'
129134
runs-on: ubuntu-latest
135+
permissions:
136+
contents: read
130137

131138
strategy:
132139
fail-fast: false
@@ -165,6 +172,8 @@ jobs:
165172
needs: run-determination
166173
if: needs.run-determination.outputs.result == 'true'
167174
runs-on: ubuntu-latest
175+
permissions:
176+
contents: read
168177

169178
strategy:
170179
fail-fast: false
@@ -203,6 +212,8 @@ jobs:
203212
needs: run-determination
204213
if: needs.run-determination.outputs.result == 'true'
205214
runs-on: ubuntu-latest
215+
permissions:
216+
contents: read
206217

207218
strategy:
208219
fail-fast: false

.github/workflows/check-license.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@ on:
3131
jobs:
3232
check-license:
3333
runs-on: ubuntu-latest
34+
permissions:
35+
contents: read
3436

3537
steps:
3638
- name: Checkout repository

.github/workflows/check-markdown-task.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ on:
3636
jobs:
3737
lint:
3838
runs-on: ubuntu-latest
39+
permissions:
40+
contents: read
3941

4042
steps:
4143
- name: Checkout repository
@@ -55,6 +57,8 @@ jobs:
5557

5658
links:
5759
runs-on: ubuntu-latest
60+
permissions:
61+
contents: read
5862

5963
steps:
6064
- name: Checkout repository

.github/workflows/check-mkdocs-task.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,8 @@ on:
3737
jobs:
3838
check:
3939
runs-on: ubuntu-latest
40+
permissions:
41+
contents: read
4042

4143
steps:
4244
- name: Checkout repository

.github/workflows/check-prettier-formatting-task.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -201,6 +201,8 @@ on:
201201
jobs:
202202
check:
203203
runs-on: ubuntu-latest
204+
permissions:
205+
contents: read
204206

205207
steps:
206208
- name: Checkout repository

.github/workflows/check-python-task.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ on:
3333
jobs:
3434
lint:
3535
runs-on: ubuntu-latest
36+
permissions:
37+
contents: read
3638

3739
steps:
3840
- name: Checkout repository
@@ -60,6 +62,8 @@ jobs:
6062

6163
formatting:
6264
runs-on: ubuntu-latest
65+
permissions:
66+
contents: read
6367

6468
steps:
6569
- name: Checkout repository

0 commit comments

Comments
 (0)