From 1784b7e652879a5c98e469cec2968122f495ca62 Mon Sep 17 00:00:00 2001 From: zerosnacks Date: Wed, 17 Sep 2025 15:16:32 +0200 Subject: [PATCH] rescope permissions --- .github/workflows/ci.yml | 12 +++++++++--- .github/workflows/codeql.yml | 4 ++-- .github/workflows/sync.yml | 3 +-- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 737bcf217..d7b6bf1ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,6 @@ name: CI -permissions: - contents: read +permissions: {} on: workflow_dispatch: @@ -15,6 +14,8 @@ jobs: name: build +${{ matrix.toolchain }} ${{ matrix.flags }} runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -51,6 +52,8 @@ jobs: test: runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -73,6 +76,8 @@ jobs: fmt: runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read steps: - uses: actions/checkout@v5 with: @@ -84,6 +89,8 @@ jobs: typos: runs-on: ubuntu-latest timeout-minutes: 10 + permissions: + contents: read steps: - uses: actions/checkout@v5 with: @@ -93,7 +100,6 @@ jobs: ci-success: runs-on: ubuntu-latest if: always() - permissions: {} needs: - build - test diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9bf24662a..29b9c08a5 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,7 +1,6 @@ name: CodeQL -permissions: - contents: read +permissions: {} on: push: @@ -23,6 +22,7 @@ jobs: permissions: security-events: write actions: read + contents: read strategy: fail-fast: false diff --git a/.github/workflows/sync.yml b/.github/workflows/sync.yml index ef99deb06..15731cbbf 100644 --- a/.github/workflows/sync.yml +++ b/.github/workflows/sync.yml @@ -1,7 +1,6 @@ name: Sync Release Branch -permissions: - contents: read +permissions: {} on: release: