Constrain GH Actions workflows permissions (#129)

2024-09-27 04:22:46 +02:00 · 2021-10-23 21:57:46 +02:00 · 2021-10-23 21:57:46 +02:00 · d052f59800
commit d052f59800
parent ca3a14b1bc
4 changed files with 13 additions and 0 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -5,6 +5,9 @@ on:
    branches: [main]
  pull_request:

+permissions:
+  contents: read
+
 jobs:
  ci:
    name: ${{ matrix.name }}
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -9,6 +9,9 @@ on:
      - requirements_test.txt
      - .github/workflows/docker.yml

+permissions:
+  contents: read
+  packages: write

 jobs:
  build-image:
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@ -6,6 +6,10 @@ on:
    branches:
      - main

+permissions:
+  contents: write
+  pull-requests: read
+
 jobs:
  update_release_draft:
    runs-on: ubuntu-latest
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,6 +4,9 @@ on:
  release:
    types: [published]

+permissions:
+  contents: read
+
 jobs:
  deploy-pypi:
    name: Build and publish to PyPi