Skip to content

Commit 97cddca

Browse files
committed
Pull request: ADG-12053-imp-gh-workflow-permissions
Merge in GO/dnsproxy from ADG-12053-imp-gh-workflow-permissions to master Squashed commit of the following: commit 8ca6a84 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Apr 20 12:36:42 2026 +0700 gh workflows: imp commit daa912b Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Apr 20 12:14:13 2026 +0700 gh workflows: upd checkout commit 2e31af2 Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Apr 20 12:12:45 2026 +0700 gh workflows: fix build commit 82a479c Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Apr 20 12:03:56 2026 +0700 gh workflows: fix lint commit a47e6ae Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Apr 20 11:59:19 2026 +0700 gh workflows: fmt commit 29471ac Author: Dimitry Kolyshev <dkolyshev@adguard.com> Date: Mon Apr 20 11:55:38 2026 +0700 gh workflows: imp permissions
1 parent 467ad73 commit 97cddca

3 files changed

Lines changed: 77 additions & 33 deletions

File tree

.github/workflows/build.yaml

Lines changed: 28 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,23 @@
11
name: Build
2-
2+
# Permissions are disabled for all the jobs by default, and then overridden for
3+
# specific jobs if needed. This is a recommended practice for security reasons,
4+
# and also allows to avoid mistakes with permissions when creating new jobs.
5+
#
6+
# See https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions.
7+
'permissions': {}
38
'env':
49
'GO_VERSION': '1.26.1'
5-
610
'on':
711
'push':
812
'tags':
913
- 'v*'
1014
'branches':
1115
- '*'
1216
'pull_request':
13-
1417
jobs:
1518
tests:
19+
'permissions':
20+
'contents': 'read'
1621
runs-on: ${{ matrix.os }}
1722
strategy:
1823
matrix:
@@ -21,7 +26,12 @@ jobs:
2126
- macos-latest
2227
- ubuntu-latest
2328
steps:
24-
- uses: actions/checkout@master
29+
- 'uses': 'actions/checkout@v6'
30+
'with':
31+
# Set to false to avoid GITHUB_TOKEN leaking.
32+
#
33+
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
34+
'persist-credentials': false
2535
- uses: actions/setup-go@v2
2636
with:
2737
go-version: '${{ env.GO_VERSION }}'
@@ -36,13 +46,20 @@ jobs:
3646
with:
3747
token: ${{ secrets.CODECOV_TOKEN }}
3848
file: ./coverage.txt
39-
4049
build:
4150
needs:
4251
- tests
52+
'permissions':
53+
# Required by actions/create-release.
54+
'contents': 'write'
4355
runs-on: ubuntu-latest
4456
steps:
45-
- uses: actions/checkout@master
57+
- 'uses': 'actions/checkout@v6'
58+
'with':
59+
# Set to false to avoid GITHUB_TOKEN leaking.
60+
#
61+
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
62+
'persist-credentials': false
4663
- uses: actions/setup-go@v2
4764
with:
4865
go-version: '${{ env.GO_VERSION }}'
@@ -77,17 +94,20 @@ jobs:
7794
file: "build/dnsproxy-*.tar.gz;build/dnsproxy-*.zip"
7895
tags: true
7996
draft: false
80-
8197
notify:
8298
needs:
8399
- build
84-
if:
100+
if: |
85101
${{ always() &&
86102
(
87103
github.event_name == 'push' ||
88104
github.event.pull_request.head.repo.full_name == github.repository
89105
)
90106
}}
107+
'permissions':
108+
# Required by workflow-conclusion-action to check workflow status.
109+
'actions': 'read'
110+
'contents': 'read'
91111
runs-on: ubuntu-latest
92112
steps:
93113
- name: Conclusion

.github/workflows/docker.yml

Lines changed: 22 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,32 @@
11
'name': Docker
2-
2+
# Permissions are disabled for all the jobs by default, and then overridden for
3+
# specific jobs if needed. This is a recommended practice for security reasons,
4+
# and also allows to avoid mistakes with permissions when creating new jobs.
5+
#
6+
# See https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions.
7+
'permissions': {}
38
'env':
49
'GO_VERSION': '1.26.1'
5-
610
'on':
711
'push':
812
'tags':
913
- 'v*'
1014
# Builds from the master branch will be pushed with the `dev` tag.
1115
'branches':
1216
- 'master'
13-
1417
'jobs':
1518
'docker':
19+
'permissions':
20+
'contents': 'read'
1621
'runs-on': 'ubuntu-latest'
1722
'steps':
1823
- 'name': 'Checkout'
19-
'uses': 'actions/checkout@v3'
24+
'uses': 'actions/checkout@v6'
2025
'with':
21-
'fetch-depth': 0
26+
# Set to false to avoid GITHUB_TOKEN leaking.
27+
#
28+
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
29+
'persist-credentials': false
2230
- 'name': 'Set up Go'
2331
'uses': 'actions/setup-go@v3'
2432
'with':
@@ -56,17 +64,20 @@
5664
DOCKER_PUSH="1" \
5765
VERBOSE="1" \
5866
docker
59-
6067
'notify':
6168
'needs':
6269
- 'docker'
63-
'if':
70+
'if': |
6471
${{ always() &&
65-
(
66-
github.event_name == 'push' ||
67-
github.event.pull_request.head.repo.full_name == github.repository
68-
)
72+
(
73+
github.event_name == 'push' ||
74+
github.event.pull_request.head.repo.full_name == github.repository
75+
)
6976
}}
77+
'permissions':
78+
# Required by workflow-conclusion-action to check workflow status.
79+
'actions': 'read'
80+
'contents': 'read'
7081
'runs-on': ubuntu-latest
7182
'steps':
7283
- 'name': Conclusion

.github/workflows/lint.yaml

Lines changed: 27 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,45 +1,58 @@
11
'name': 'lint'
2-
2+
# Permissions are disabled for all the jobs by default, and then overridden for
3+
# specific jobs if needed. This is a recommended practice for security reasons,
4+
# and also allows to avoid mistakes with permissions when creating new jobs.
5+
#
6+
# See https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#permissions.
7+
'permissions': {}
38
'env':
49
'GO_VERSION': '1.26.1'
5-
610
'on':
711
'push':
812
'tags':
913
- 'v*'
1014
'branches':
1115
- '*'
1216
'pull_request':
13-
1417
'jobs':
1518
'go-lint':
19+
'permissions':
20+
'contents': 'read'
1621
'runs-on': 'ubuntu-latest'
1722
'steps':
18-
- 'uses': 'actions/checkout@v2'
23+
- 'uses': 'actions/checkout@v6'
24+
'with':
25+
# Set to false to avoid GITHUB_TOKEN leaking.
26+
#
27+
# See https://github.com/actions/checkout/issues/485#issuecomment-934422611.
28+
'persist-credentials': false
1929
- 'name': 'Set up Go'
2030
'uses': 'actions/setup-go@v3'
2131
'with':
2232
'go-version': '${{ env.GO_VERSION }}'
2333
- 'name': 'run-lint'
24-
'run': >
25-
make go-deps go-lint
26-
34+
'run': 'make go-deps go-lint'
2735
'notify':
2836
'needs':
37+
- 'go-lint'
2938
# Secrets are not passed to workflows that are triggered by a pull request
3039
# from a fork.
3140
#
3241
# Use always() to signal to the runner that this job must run even if the
3342
# previous ones failed.
34-
'if':
43+
'if': |
3544
${{
36-
always() &&
37-
github.repository_owner == 'AdguardTeam' &&
38-
(
39-
github.event_name == 'push' ||
40-
github.event.pull_request.head.repo.full_name == github.repository
41-
)
45+
always() &&
46+
github.repository_owner == 'AdguardTeam' &&
47+
(
48+
github.event_name == 'push' ||
49+
github.event.pull_request.head.repo.full_name == github.repository
50+
)
4251
}}
52+
'permissions':
53+
# Required by workflow-conclusion-action to check workflow status.
54+
'actions': 'read'
55+
'contents': 'read'
4356
'runs-on': 'ubuntu-latest'
4457
'steps':
4558
- 'name': 'Conclusion'

0 commit comments

Comments
 (0)