Skip to content

Commit ae62ef5

Browse files
Merge pull request #49 from Clarifai/fix/codeql-workflow-permissions
ci: add least-privilege permissions and pin softprops/action-gh-release
2 parents 5faa5a6 + 91fd961 commit ae62ef5

3 files changed

Lines changed: 9 additions & 2 deletions

File tree

.github/workflows/publish.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
jobs:
1212
publish-pypi:
1313
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
1416
steps:
1517
- uses: actions/checkout@v4
1618
- name: Set up Python
@@ -32,10 +34,11 @@ jobs:
3234
needs: publish-pypi
3335
name: Create Release
3436
runs-on: ubuntu-latest
37+
permissions:
38+
contents: write
3539
steps:
36-
- uses: actions/checkout@v4
3740
- name: Create Release
38-
uses: softprops/action-gh-release@v1
41+
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
3942
with:
4043
name: Release ${{ github.ref_name }}
4144
draft: false

.github/workflows/run_annotation_tests.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ jobs:
1313
annotation-tests:
1414
runs-on: ${{ matrix.os }}
1515
timeout-minutes: 20
16+
permissions:
17+
contents: read
1618
strategy:
1719
fail-fast: false
1820
matrix:

.github/workflows/run_tests.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ jobs:
1212
build:
1313
runs-on: ${{ matrix.os }}
1414
timeout-minutes: 20
15+
permissions:
16+
contents: read
1517
strategy:
1618
fail-fast: false
1719
matrix:

0 commit comments

Comments
 (0)