Skip to content

Commit d0b0596

Browse files
committed
ci: Limit token permissions
Also fixed whitespace issues in `.github/workflows`.
1 parent edce0c3 commit d0b0596

3 files changed

Lines changed: 28 additions & 24 deletions

File tree

.github/workflows/audit.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -10,23 +10,23 @@ on:
1010
- '**/Cargo.toml'
1111
- '**/Cargo.lock'
1212
schedule:
13-
# weekly
14-
- cron: '0 0 * * 0'
13+
- cron: '0 0 * * 0' # At 00:00 on Sunday
1514
workflow_dispatch:
1615

1716
env:
1817
CARGO_TERM_COLOR: always
1918

20-
permissions:
21-
contents: read
22-
security-events: write
23-
issues: write
19+
permissions: {}
2420

2521
jobs:
2622
cargo-audit:
2723
name: RustSec Audit (vulnerabilities)
2824
runs-on: ubuntu-latest
2925
timeout-minutes: 15
26+
permissions:
27+
contents: read
28+
security-events: write
29+
issues: write
3030

3131
steps:
3232
- name: Checkout code

.github/workflows/cont_integration.yml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@ on: [push, pull_request]
22

33
name: CI
44

5+
permissions: {}
6+
57
env:
68
CARGO_TERM_COLOR: always
79
RUST_BACKTRACE: 1
@@ -21,7 +23,7 @@ jobs:
2123
toolchain: stable
2224
components: rustfmt
2325
cache: true
24-
26+
2527
- name: Check fmt
2628
run: cargo fmt --all -- --check
2729

@@ -37,7 +39,7 @@ jobs:
3739
steps:
3840
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
3941
with:
40-
persist-credentials: false
42+
persist-credentials: false
4143
- name: Install Rust toolchain
4244
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
4345
with:
@@ -61,19 +63,19 @@ jobs:
6163
steps:
6264
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
6365
with:
64-
persist-credentials: false
66+
persist-credentials: false
6567
- name: Install Rust toolchain
6668
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
6769
with:
6870
toolchain: stable
6971
cache: true
70-
72+
7173
- name: Build
7274
run: cargo build ${{ matrix.features }} --verbose
73-
75+
7476
- name: Run unit tests
7577
run: cargo test ${{ matrix.features }} --lib --verbose
76-
78+
7779
- name: Run doc tests
7880
run: cargo test ${{ matrix.features }} --doc --verbose
7981

@@ -84,12 +86,12 @@ jobs:
8486
steps:
8587
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
8688
with:
87-
persist-credentials: false
89+
persist-credentials: false
8890
- name: Install Rust toolchain
8991
uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1
9092
with:
9193
toolchain: 1.75.0
9294
cache: true
93-
95+
9496
- name: Check MSRV
9597
run: cargo check --all-features

.github/workflows/zizmor.yml

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,28 +1,30 @@
11
name: GitHub Actions Security Analysis with zizmor
22

33
on:
4-
pull_request:
4+
pull_request:
5+
branches: ["**"]
6+
push:
57
branches: ["**"]
6-
push:
7-
branches: ["**"]
88
schedule:
9-
- cron: '0 0 * * 0'
10-
workflow_dispatch:
9+
- cron: '0 0 * * 0' # At 00:00 on Sunday
10+
workflow_dispatch:
1111

12-
permissions:
13-
contents: read
14-
security-events: write
12+
permissions: {}
1513

1614
jobs:
1715
zizmor:
1816
name: zizmor security scan
1917
runs-on: ubuntu-latest
2018
timeout-minutes: 10
19+
permissions:
20+
contents: read
21+
security-events: write
22+
2123
steps:
2224
- name: Checkout repository
2325
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
2426
with:
2527
persist-credentials: false
2628

27-
- name: Run zizmor
28-
uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95
29+
- name: Run zizmor
30+
uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95

0 commit comments

Comments
 (0)