CI: Reduce action permissions per best practices

2025-05-11 17:43:48 -04:00 · 2025-05-11 17:43:48 -04:00 · aee5051526
parent 0162e15b6e
commit aee5051526
8 changed files with 21 additions and 5 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -12,6 +12,9 @@ on:
  schedule:
    - cron: '0 0 * * 0'  # weekly

+permissions:
+  contents: read
+
 defaults:
  run:
    shell: bash
--- a/.github/workflows/contributor.yml
+++ b/.github/workflows/contributor.yml
@ -7,6 +7,8 @@ on:
  push:
  pull_request:
  workflow_dispatch:
+permissions:
+  contents: read
 jobs:
  Test:
    name: "'docs/CONTRIBUTORS' was signed"
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@ -9,6 +9,9 @@ on:
  schedule:
    - cron: '0 0 * * 0'  # weekly

+permissions:
+  contents: read
+
 env:
  CI_OS_NAME: linux
  CI_COMMIT: ${{ github.sha }}
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -22,6 +22,9 @@ on:
        type: boolean
        default: false

+permissions:
+  contents: write
+
 jobs:

  build:
--- a/.github/workflows/format.yml
+++ b/.github/workflows/format.yml
@ -7,6 +7,8 @@ on:
  push:
  pull_request_target:
  workflow_dispatch:
+permissions:
+  contents: write
 jobs:
  format:
    runs-on: ubuntu-22.04
--- a/.github/workflows/msbuild.yml
+++ b/.github/workflows/msbuild.yml
@ -10,6 +10,8 @@ on:
  workflow_dispatch:
  schedule:
    - cron: 0 0 * * 0  # weekly
+permissions:
+  contents: read
 env:
  CI_OS_NAME: win
  CI_COMMIT: ${{ github.sha }}
--- a/.github/workflows/reusable-rtlmeter-run.yml
+++ b/.github/workflows/reusable-rtlmeter-run.yml
@ -84,7 +84,7 @@ jobs:

      - name: Execute cases
        working-directory: rtlmeter
-        continue-on-error: true # Do not fail on error, so we can at leat save the successful results
+        continue-on-error: true  # Do not fail on error, so we can at leat save the successful results
        run: |
          ./rtlmeter run --verbose --cases='${{ inputs.cases }}' --compileArgs='${{ inputs.compileArgs }}' --executeArgs='${{ inputs.executeArgs }}'
          # My YAML highlighter sucks, so I put this comment here wiht a phony closing quote mark to make it work: '
--- a/.github/workflows/rtlmeter.yml
+++ b/.github/workflows/rtlmeter.yml
@ -10,6 +10,9 @@ on:
  schedule:
    - cron: '0 2 * * *'  # Daily, starting at 02:00 UTC

+permissions:
+  contents: read
+
 defaults:
  run:
    shell: bash
@ -115,10 +118,8 @@ jobs:

  combine-results:
    name: Combine results
-    needs:
-      - run-gcc
-      - run-clang
-    if: ${{ always() }} # Run even if dependencies failed
+    needs: [run-gcc, run-clang]
+    if: ${{ always() }}  # Run even if dependencies failed
    runs-on: ubuntu-24.04
    steps:
      - name: Download all GCC results