Merge pull request #4022 from rouault/ci_permissions

CI: add missing permissions section to .yml files
OSGeo · Jan 31, 2024 · c9cbcf9 · c9cbcf9
2 parents 3cc757f + be7d344
commit c9cbcf9
Show file tree

Hide file tree

Showing 11 changed files with 33 additions and 0 deletions.
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
@@ -9,6 +9,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   Fuzzing:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/clang_linux.yml b/.github/workflows/clang_linux.yml
@@ -13,6 +13,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   clang_linux:

diff --git a/.github/workflows/clang_static_analyzer.yml b/.github/workflows/clang_static_analyzer.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   clang_static_analyzer:

diff --git a/.github/workflows/code_checks.yml b/.github/workflows/code_checks.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   cppcheck_2204:

diff --git a/.github/workflows/conda.yml b/.github/workflows/conda.yml
@@ -10,6 +10,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   conda:
     name: Conda ${{ matrix.platform }}

diff --git a/.github/workflows/coverity-scan.yml b/.github/workflows/coverity-scan.yml
@@ -9,6 +9,9 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
   coverity:

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 # adapted from https://raw.githubusercontent.com/stefanprodan/podinfo/master/.github/workflows/release.yml
 #
 jobs:

diff --git a/.github/workflows/linux_gcc_32bit.yml b/.github/workflows/linux_gcc_32bit.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   linux_gcc_32bit:

diff --git a/.github/workflows/mac.yml b/.github/workflows/mac.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   macos_build:

diff --git a/.github/workflows/mingw_w64.yml b/.github/workflows/mingw_w64.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   mingw_w64_build:

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   MSVC: