Make Github workflows permissions read-only by default (#3488)

* Make Github workflows permissions read-only by default * Pins `skx/github-action-publish-binaries` action to specific hash
facebook · Feb 14, 2023 · 727d031 · 727d031
1 parent 886de7b
commit 727d031
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/.github/workflows/dev-long-tests.yml b/.github/workflows/dev-long-tests.yml
@@ -9,6 +9,8 @@ on:
   pull_request:
     branches: [ dev, release, actionsTest ]
 
+permissions: read-all
+
 jobs:
   make-all:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/dev-short-tests.yml b/.github/workflows/dev-short-tests.yml
@@ -10,6 +10,8 @@ on:
   pull_request:
     branches: [ dev, release, actionsTest ]
 
+permissions: read-all
+
 jobs:
   linux-kernel:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/publish-release-artifacts.yml b/.github/workflows/publish-release-artifacts.yml
@@ -5,8 +5,7 @@ on:
     types:
       - published
 
-permissions:
-  contents: read
+permissions: read-all
 
 jobs:
   publish-release-artifacts:
@@ -68,7 +67,7 @@ jobs:
           fi
 
       - name: Publish
-        uses: skx/github-action-publish-binaries@release-2.0
+        uses: skx/github-action-publish-binaries@b9ca5643b2f1d7371a6cba7f35333f1461bbc703 # tag=release-2.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with: