Update github permissions (#833)

tpadioleau · web-flow · commit 86037b23b297 · 2025-04-21T09:59:40.000+02:00
* Update github permissions

* Replace version by commit sha
diff --git a/.github/workflows/cmake-checks.yaml b/.github/workflows/cmake-checks.yaml
@@ -25,6 +25,9 @@ on:
       - '**.cmake.in'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   cmake-format:
     name: CMake format check using gersemi
diff --git a/.github/workflows/early_integration.yaml b/.github/workflows/early_integration.yaml
@@ -11,6 +11,9 @@ on:
     - cron: "0 1 * * 1-5"  # every weekday at 1am
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   docker-build:
     strategy:
@@ -83,6 +86,8 @@ jobs:
             cxx_version: '23'
     runs-on: ubuntu-latest
     needs: [docker-build]
+    permissions:
+      checks: write  # Required by mikepenz/action-junit-report
     steps:
       - name: Free Disk Space (Ubuntu)
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
diff --git a/.github/workflows/general-checks.yaml b/.github/workflows/general-checks.yaml
@@ -13,6 +13,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   reuse-compliance-check:
     name: Reuse compliance check
diff --git a/.github/workflows/gyselalibxx.yaml b/.github/workflows/gyselalibxx.yaml
@@ -9,6 +9,9 @@ name: gyselalibxx
 on:
   workflow_dispatch
 
+permissions:
+  contents: read
+
 jobs:
   tests:
     strategy:
diff --git a/.github/workflows/markdown-checks.yaml b/.github/workflows/markdown-checks.yaml
@@ -19,6 +19,9 @@ on:
       - '**.md'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   markdown-lint:
     name: Markdown lint using markdownlint-cli2
diff --git a/.github/workflows/packages-cleanup.yaml b/.github/workflows/packages-cleanup.yaml
@@ -9,6 +9,9 @@ name: Packages cleanup
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   delete-packages:
     strategy:
@@ -24,6 +27,8 @@ jobs:
           - 'oldest_hip'
     name: Delete old packages
     runs-on: ubuntu-latest
+    permissions:
+      packages: write  # Required by actions/delete-package-versions
     steps:
       - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55  # v5.0.0
         with:
diff --git a/.github/workflows/pages.yaml b/.github/workflows/pages.yaml
@@ -16,6 +16,9 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref == github.ref_protected && github.run_id || github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   id_repo:
     runs-on: ubuntu-latest
@@ -29,6 +32,8 @@ jobs:
   docker-build:
     needs: id_repo
     runs-on: ubuntu-latest
+    permissions:
+      packages: write  # Required to push to registry
     steps:
       - name: Free Disk Space (Ubuntu)
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
diff --git a/.github/workflows/python-checks.yaml b/.github/workflows/python-checks.yaml
@@ -21,6 +21,9 @@ on:
       - 'bin/trailing_spaces'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   python-format:
     name: Python format using black
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -23,7 +23,8 @@ on:
       - "main"
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analysis:
@@ -78,6 +79,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47  # v3.28.15
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/shell-checks.yaml b/.github/workflows/shell-checks.yaml
@@ -15,6 +15,9 @@ on:
       - 'docker/*/bash_run'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   shell-lint:
     name: Shell lint using shellcheck
diff --git a/.github/workflows/tests-macos.yaml b/.github/workflows/tests-macos.yaml
@@ -36,6 +36,9 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref == github.ref_protected && github.run_id || github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   id_repo:
     runs-on: macos-latest
@@ -77,6 +80,8 @@ jobs:
       CC: ${{matrix.backend.c_compiler}}
       CXX: ${{matrix.backend.cxx_compiler}}
       CMAKE_BUILD_TYPE: ${{matrix.cmake_build_type}}
+    permissions:
+      checks: write  # Required by mikepenz/action-junit-report
     steps:
       - name: Checkout built branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
diff --git a/.github/workflows/tests-ubuntu.yaml b/.github/workflows/tests-ubuntu.yaml
@@ -38,6 +38,9 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref == github.ref_protected && github.run_id || github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -70,6 +73,8 @@ jobs:
         backend: ['cpu', 'cuda', 'hip']
     needs: id_repo
     runs-on: ubuntu-latest
+    permissions:
+      packages: write  # Required to push to registry
     steps:
       - name: Free Disk Space (Ubuntu)
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
@@ -159,6 +164,8 @@ jobs:
             cxx_version: '23'
     runs-on: ubuntu-latest
     needs: [docker-build, id_repo]
+    permissions:
+      checks: write  # Required by mikepenz/action-junit-report
     steps:
       - name: Free Disk Space (Ubuntu)
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
@@ -316,6 +323,8 @@ jobs:
         sanitizer: ['address', 'undefined']
     runs-on: ubuntu-latest
     needs: [docker-build, id_repo]
+    permissions:
+      checks: write  # Required by mikepenz/action-junit-report
     steps:
       - name: Free Disk Space (Ubuntu)
         uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be  # v1.3.1
diff --git a/.github/workflows/tests-windows.yaml b/.github/workflows/tests-windows.yaml
@@ -38,6 +38,9 @@ concurrency:
   group: ${{github.workflow}}-${{github.ref == github.ref_protected && github.run_id || github.event.pull_request.number || github.ref}}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   id_repo:
     runs-on: windows-latest
@@ -60,6 +63,8 @@ jobs:
       Kokkos_ROOT: ${{github.workspace}}/opt/kokkos
       GTest_ROOT: ${{github.workspace}}/opt/gtest
       CMAKE_BUILD_PARALLEL_LEVEL: 4
+    permissions:
+      checks: write  # Required by mikepenz/action-junit-report
     steps:
       - name: Checkout built branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
diff --git a/.github/workflows/website-checks.yaml b/.github/workflows/website-checks.yaml
@@ -11,6 +11,9 @@ on:
     - cron: "0 1 * * *"  # every day at 1am
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   links-check:
     name: Links check using linkchecker
diff --git a/.github/workflows/yaml-checks.yaml b/.github/workflows/yaml-checks.yaml
@@ -27,6 +27,9 @@ on:
       - '**.yml'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   yaml-lint:
     name: YAML lint using yamllint
