From c3020e271785cfd31148eeb322eeb369baa12137 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 1 Dec 2022 04:31:02 +0200 Subject: [PATCH] GitHub Workflows security hardening (#3519) * build: harden tutorials.yml permissions Signed-off-by: Alex * build: harden contrib.yml permissions Signed-off-by: Alex * build: harden tests.yml permissions Signed-off-by: Alex --- .github/workflows/contrib.yml | 3 +++ .github/workflows/tests.yml | 7 +++++++ .github/workflows/tutorials.yml | 1 + 3 files changed, 11 insertions(+) diff --git a/.github/workflows/contrib.yml b/.github/workflows/contrib.yml index d723e6aa48..a4ec6d7d75 100644 --- a/.github/workflows/contrib.yml +++ b/.github/workflows/contrib.yml @@ -22,6 +22,9 @@ concurrency: group: contrib-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read # to fetch code (actions/checkout) + jobs: stable: # Check each OS, all supported Python, minimum versions and latest releases diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 07bb90dc9e..76d4b43843 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -29,8 +29,12 @@ concurrency: group: tests-${{ github.ref }} cancel-in-progress: true +permissions: {} jobs: build: + permissions: + contents: read # to fetch code (actions/checkout) + runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -80,6 +84,9 @@ jobs: stable: # Check each OS, all supported Python, minimum versions and latest releases + permissions: + contents: read # to fetch code (actions/checkout) + runs-on: ${{ matrix.os }} strategy: matrix: diff --git a/.github/workflows/tutorials.yml b/.github/workflows/tutorials.yml index 4f80942d17..2e6093fde5 100644 --- a/.github/workflows/tutorials.yml +++ b/.github/workflows/tutorials.yml @@ -9,6 +9,7 @@ concurrency: group: tutorials-${{ github.ref }} cancel-in-progress: true +permissions: {} jobs: tutorial: runs-on: ubuntu-latest