Adjust permissions in GitHub Actions (#207)

btschwertfeger · Mar 16, 2024 · 15df270 · 15df270
1 parent c32927c
commit 15df270
Show file tree

Hide file tree

Showing 18 changed files with 39 additions and 0 deletions.
diff --git a/.github/workflows/_build.yaml b/.github/workflows/_build.yaml
@@ -18,6 +18,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Build:
     runs-on: ${{ inputs.os }}

diff --git a/.github/workflows/_build_doc.yaml b/.github/workflows/_build_doc.yaml
@@ -17,6 +17,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Build:
     runs-on: ${{ inputs.os }}

diff --git a/.github/workflows/_codecov.yaml b/.github/workflows/_codecov.yaml
@@ -33,6 +33,8 @@ on:
       FUTURES_SANDBOX_SECRET:
         required: true
 
+permissions: read-all
+
 jobs:
   CodeCov:
     name: Coverage

diff --git a/.github/workflows/_codeql.yaml b/.github/workflows/_codeql.yaml
@@ -7,6 +7,12 @@ name: CodeQL
 on:
   workflow_call:
 
+# Don't change this permissions. These must match those of the analyze job.
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/_pre_commit.yaml b/.github/workflows/_pre_commit.yaml
@@ -10,6 +10,8 @@ name: Pre-Commit
 on:
   workflow_call:
 
+permissions: read-all
+
 jobs:
   Pre-Commit:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/_pypi_publish.yaml b/.github/workflows/_pypi_publish.yaml
@@ -19,6 +19,8 @@ on:
       API_TOKEN:
         required: true
 
+permissions: read-all
+
 jobs:
   PyPI-Publish:
     name: Upload to ${{ inputs.REPOSITORY_URL }}

diff --git a/.github/workflows/_test_futures_private.yaml b/.github/workflows/_test_futures_private.yaml
@@ -30,6 +30,8 @@ on:
       FUTURES_SANDBOX_SECRET:
         required: true
 
+permissions: read-all
+
 jobs:
   Test-Futures:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}

diff --git a/.github/workflows/_test_futures_public.yaml b/.github/workflows/_test_futures_public.yaml
@@ -20,6 +20,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Test-Futures:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}

diff --git a/.github/workflows/_test_nft_private.yaml b/.github/workflows/_test_nft_private.yaml
@@ -22,6 +22,8 @@ on:
       SPOT_SECRET_KEY:
         required: true
 
+permissions: read-all
+
 jobs:
   Test-NFT:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}

diff --git a/.github/workflows/_test_nft_public.yaml b/.github/workflows/_test_nft_public.yaml
@@ -18,6 +18,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Test-NFT:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}

diff --git a/.github/workflows/_test_spot_private.yaml b/.github/workflows/_test_spot_private.yaml
@@ -27,6 +27,8 @@ on:
       SPOT_SECRET_KEY:
         required: true
 
+permissions: read-all
+
 jobs:
   Test-Spot:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}

diff --git a/.github/workflows/_test_spot_public.yaml b/.github/workflows/_test_spot_public.yaml
@@ -20,6 +20,8 @@ on:
         type: string
         required: true
 
+permissions: read-all
+
 jobs:
   Test-Spot:
     name: Test ${{ inputs.os }} ${{ inputs.python-version }}

diff --git a/.github/workflows/manual_build.yaml b/.github/workflows/manual_build.yaml
@@ -12,6 +12,8 @@ name: PR Manual Build
 on:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   Build:
     uses: ./.github/workflows/_build.yaml

diff --git a/.github/workflows/manual_codeql.yaml b/.github/workflows/manual_codeql.yaml
@@ -12,6 +12,8 @@ name: PR Manual CodeQL
 on:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   CodeQL:
     uses: ./.github/workflows/_codeql.yaml
diff --git a/.github/workflows/manual_pre_commit.yaml b/.github/workflows/manual_pre_commit.yaml
@@ -13,6 +13,8 @@ name: PR Manual Pre-Commit
 on:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   Pre-Commit:
     uses: ./.github/workflows/_pre_commit.yaml
diff --git a/.github/workflows/manual_test_futures.yaml b/.github/workflows/manual_test_futures.yaml
@@ -27,6 +27,8 @@ name: PR Manual Test Futures
 on:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   Test-Futures-Public:
     uses: ./.github/workflows/_test_futures_public.yaml

diff --git a/.github/workflows/manual_test_spot.yaml b/.github/workflows/manual_test_spot.yaml
@@ -35,6 +35,8 @@ name: PR Manual Test Spot
 on:
   workflow_dispatch:
 
+permissions: read-all
+
 jobs:
   Test-Spot-Public:
     uses: ./.github/workflows/_test_spot_public.yaml

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -3,6 +3,7 @@
 # policy, and support documentation.
 
 name: Scorecard supply-chain security
+
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,8 @@ name: PR Manual Build @@
     on:
       workflow_dispatch:
+    permissions: read-all
     jobs:
       Build:
         uses: ./.github/workflows/_build.yaml
@@ Expand Down @@