From 727d03161f689399b7f6dbd65cd624185bf4de8c Mon Sep 17 00:00:00 2001 From: Yonatan Komornik <11005061+yoniko@users.noreply.github.com> Date: Mon, 13 Feb 2023 16:57:05 -0800 Subject: [PATCH] Make Github workflows permissions read-only by default (#3488) * Make Github workflows permissions read-only by default * Pins `skx/github-action-publish-binaries` action to specific hash --- .github/workflows/dev-long-tests.yml | 2 ++ .github/workflows/dev-short-tests.yml | 2 ++ .github/workflows/publish-release-artifacts.yml | 5 ++--- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/dev-long-tests.yml b/.github/workflows/dev-long-tests.yml index 1c8c9ec555f..22416e2cd67 100644 --- a/.github/workflows/dev-long-tests.yml +++ b/.github/workflows/dev-long-tests.yml @@ -9,6 +9,8 @@ on: pull_request: branches: [ dev, release, actionsTest ] +permissions: read-all + jobs: make-all: runs-on: ubuntu-latest diff --git a/.github/workflows/dev-short-tests.yml b/.github/workflows/dev-short-tests.yml index 092c933c762..eede89f8751 100644 --- a/.github/workflows/dev-short-tests.yml +++ b/.github/workflows/dev-short-tests.yml @@ -10,6 +10,8 @@ on: pull_request: branches: [ dev, release, actionsTest ] +permissions: read-all + jobs: linux-kernel: runs-on: ubuntu-latest diff --git a/.github/workflows/publish-release-artifacts.yml b/.github/workflows/publish-release-artifacts.yml index 2c89a91a55a..39da42d157c 100644 --- a/.github/workflows/publish-release-artifacts.yml +++ b/.github/workflows/publish-release-artifacts.yml @@ -5,8 +5,7 @@ on: types: - published -permissions: - contents: read +permissions: read-all jobs: publish-release-artifacts: @@ -68,7 +67,7 @@ jobs: fi - name: Publish - uses: skx/github-action-publish-binaries@release-2.0 + uses: skx/github-action-publish-binaries@b9ca5643b2f1d7371a6cba7f35333f1461bbc703 # tag=release-2.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: