External/json
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Set minimal permissions to Github Workflows (#3972)

Browse Source
This commit is contained in:
Joyce 2023-03-13 08:14:35 -03:00 committed by GitHub
parent bbe337c3a3
commit 546370c9e7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/cifuzz.yml vendored
View File

@ -1,5 +1,9 @@
name: CIFuzz name: CIFuzz
on: [pull_request] on: [pull_request]
permissions:
contents: read
jobs: jobs:
Fuzzing: Fuzzing:
runs-on: ubuntu-latest runs-on: ubuntu-latest

5
.github/workflows/codeql-analysis.yml vendored
View File

@ -11,6 +11,9 @@ on:
- cron: '0 19 * * 1' - cron: '0 19 * * 1'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }} group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
@ -19,6 +22,8 @@ jobs:
CodeQL-Build: CodeQL-Build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
security-events: write
steps: steps:
- name: Checkout repository - name: Checkout repository

2
.github/workflows/labeler.yml vendored
View File

@ -4,6 +4,8 @@ on:
pull_request_target: pull_request_target:
types: [opened, synchronize] types: [opened, synchronize]
permissions: {}
jobs: jobs:
label: label:
permissions: permissions:

3
.github/workflows/macos.yml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }} group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true

3
.github/workflows/publish_documentation.yml vendored
View File

@ -10,6 +10,9 @@ on:
- docs/examples/** - docs/examples/**
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
# we don't want to have concurrent jobs, and we don't want to cancel running jobs to avoid broken publications # we don't want to have concurrent jobs, and we don't want to cancel running jobs to avoid broken publications
concurrency: concurrency:
group: documentation group: documentation

6
.github/workflows/ubuntu.yml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }} group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true
@ -102,6 +105,9 @@ jobs:
ci_test_coverage: ci_test_coverage:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: ghcr.io/nlohmann/json-ci:v2.4.0 container: ghcr.io/nlohmann/json-ci:v2.4.0
permissions:
contents: read
checks: write
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Run CMake - name: Run CMake

3
.github/workflows/windows.yml vendored
View File

@ -9,6 +9,9 @@ on:
pull_request: pull_request:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref || github.run_id }} group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
cancel-in-progress: true cancel-in-progress: true