From fa4d37fb59d95737a7d4afa5ebfbccdde0788a23 Mon Sep 17 00:00:00 2001 From: Nick Osborn Date: Thu, 12 Jun 2025 11:46:36 +0800 Subject: [PATCH] chore: top-level workflow permissions --- .github/workflows/ci.yml | 18 +++++++++++------- .github/workflows/release.yml | 14 +++++++++----- .github/workflows/scorecard.yml | 21 +++++++++++---------- .github/workflows/versioning.yml | 9 ++++++++- 4 files changed, 39 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4a04e40..2a9e960 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,6 @@ on: permissions: contents: read - pull-requests: write concurrency: group: ci-${{ github.ref }} @@ -22,11 +21,14 @@ jobs: pre-commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + - name: Clone the repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: 3.x - - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 + - name: Perform pre-commit checks + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 env: SKIP: no-commit-to-branch @@ -34,8 +36,9 @@ jobs: needs: pre-commit runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Test problem matcher + - name: Clone the repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Test the problem matcher id: expect-failure uses: ./ with: @@ -43,7 +46,8 @@ jobs: files: . rules: examples/rules/custom.js continue-on-error: true - - if: ${{ steps.expect-failure.outcome != 'failure' }} + - name: Check the result of the problem matcher test + if: ${{ steps.expect-failure.outcome != 'failure' }} run: | exit 1 - name: Test ignore_files diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4c6d6a5..5b6ab8c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,15 +7,19 @@ on: tags: - v*.*.* -concurrency: ci-release +permissions: + contents: write + +concurrency: + group: release jobs: create-release: - permissions: - contents: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 + - name: Clone the repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Create the release + uses: softprops/action-gh-release@72f2c25fcb47643c292f7107632f7a47c1df5cd8 # v2.3.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ff63f6a..de8703c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -10,30 +10,31 @@ on: - main branch_protection_rule: {} -permissions: read-all +permissions: + actions: read + contents: read + id-token: write + security-events: write + +concurrency: + group: scorecard + cancel-in-progress: true jobs: analysis: - name: Scorecard analysis - permissions: - id-token: write - security-events: write if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' runs-on: ubuntu-latest - steps: - - name: Checkout code + - name: Clone the repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false - - - name: Run analysis + - name: Perform analysis uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 with: publish_results: true results_file: results.sarif results_format: sarif - - name: Upload to code scanning uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.29.0 with: diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml index 2c8550c..7e79a4d 100644 --- a/.github/workflows/versioning.yml +++ b/.github/workflows/versioning.yml @@ -8,8 +8,15 @@ on: - published - edited +permissions: + contents: write + pull-requests: write + +concurrency: + group: versioning + jobs: actions-tagger: runs-on: ubuntu-latest steps: - - uses: Actions-R-Us/actions-tagger@330ddfac760021349fef7ff62b372f2f691c20fb # v2.03. + - uses: Actions-R-Us/actions-tagger@330ddfac760021349fef7ff62b372f2f691c20fb # v2.0.3