Skip to content

Commit afa5346

Browse files
ChristianBeilschmidtChristianBeilschmidt
authored
ci: limit scope of GITHUB_TOKEN in actions (#1089)
1 parent c475927 commit afa5346

File tree

5 files changed

+34
-0
lines changed

5 files changed

+34
-0
lines changed

.github/workflows/ci.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ jobs:
1313
test:
1414
runs-on: ubuntu-24.04
1515

16+
permissions:
17+
contents: read
18+
1619
steps:
1720
- name: Checkout code
1821
uses: actions/checkout@v4
@@ -54,6 +57,9 @@ jobs:
5457
runs-on: ubuntu-24.04
5558
container: quay.io/geoengine/devcontainer:latest
5659

60+
permissions:
61+
contents: read
62+
5763
steps:
5864
- name: Checkout code
5965
uses: actions/checkout@v4
@@ -97,6 +103,9 @@ jobs:
97103
runs-on: ubuntu-24.04
98104
container: quay.io/geoengine/devcontainer:latest
99105

106+
permissions:
107+
contents: read
108+
100109
strategy:
101110
matrix:
102111
build: ["", "--release"]

.github/workflows/clear-cache.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,10 @@ jobs:
1111
clear-cache:
1212
runs-on: ubuntu-24.04
1313

14+
permissions:
15+
actions: write
16+
contents: read
17+
1418
steps:
1519
- name: Clear all caches
1620
uses: actions/github-script@v6

.github/workflows/containers.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@ jobs:
2727

2828
runs-on: ubuntu-24.04
2929

30+
permissions:
31+
contents: read
32+
3033
env:
3134
TAG_NAME: nightly
3235
CONTAINER_REPOSITORY_BRANCH: main
@@ -110,7 +113,12 @@ jobs:
110113
name: Post to a Slack channel in case of failure
111114
needs: create-container
112115
if: always()
116+
113117
runs-on: ubuntu-24.04
118+
119+
permissions:
120+
contents: read
121+
114122
steps:
115123
- name: Post to a Slack channel
116124
if: ${{ needs.create-container.result == 'failure' }}

.github/workflows/devcontainer.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,9 @@ jobs:
2727

2828
runs-on: ubuntu-24.04
2929

30+
permissions:
31+
contents: read
32+
3033
env:
3134
TAG_NAME: latest
3235
CONTAINER_REPOSITORY_BRANCH: main
@@ -72,7 +75,12 @@ jobs:
7275
name: Post to a Slack channel in case of failure
7376
needs: create-container
7477
if: always()
78+
7579
runs-on: ubuntu-24.04
80+
81+
permissions:
82+
contents: read
83+
7684
steps:
7785
- name: Post to a Slack channel
7886
if: ${{ needs.create-container.result == 'failure' }}

.github/workflows/lint-pr-title.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,12 @@ jobs:
99
title:
1010
name: Title
1111
if: github.event.action == 'opened' || github.event.changes.title.from
12+
1213
runs-on: ubuntu-latest
14+
15+
permissions:
16+
contents: read
17+
1318
steps:
1419
- uses: geo-engine/conventional-pr-title@v1
1520
with:

0 commit comments

Comments
 (0)