diff options
author | Joyce <joycebrum@google.com> | 2023-05-15 14:02:25 -0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-15 13:02:25 -0400 |
commit | d72ffb448c58b4ffb08b5ad629bc788646e2d59e (patch) | |
tree | 9f5f98b2cfab6d976841559a910acf07c80d42ab | |
parent | cca4c51ca463ea02fa504331ff21bc313c80c7f3 (diff) | |
download | pybind11-d72ffb448c58b4ffb08b5ad629bc788646e2d59e.tar.gz |
ci: set minimal permissions to github workflows (#4665)
* set ci.yml minimal permissions
Signed-off-by: Joyce <joycebrum@google.com>
* set configure.yml minimal permissions
Signed-off-by: Joyce <joycebrum@google.com>
* set format.yml minimal permissions
Signed-off-by: Joyce <joycebrum@google.com>
* set pip.yml minimal permissions
Signed-off-by: Joyce <joycebrum@google.com>
* set upstream.yml minimal permissions
Signed-off-by: Joyce <joycebrum@google.com>
* set labeler.yml minimal permissions
Signed-off-by: Joyce <joycebrum@google.com>
* Update ci.yml to read all
Signed-off-by: Joyce <joycebrum@google.com>
* test labeler.yml
Signed-off-by: Joyce <joycebrum@google.com>
* restore the if at labeler.yml
Signed-off-by: Joyce <joycebrum@google.com>
---------
Signed-off-by: Joyce <joycebrum@google.com>
-rw-r--r-- | .github/workflows/ci.yml | 2 | ||||
-rw-r--r-- | .github/workflows/configure.yml | 3 | ||||
-rw-r--r-- | .github/workflows/format.yml | 3 | ||||
-rw-r--r-- | .github/workflows/labeler.yml | 5 | ||||
-rw-r--r-- | .github/workflows/pip.yml | 3 | ||||
-rw-r--r-- | .github/workflows/upstream.yml | 3 |
6 files changed, 19 insertions, 0 deletions
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c88f0797..8c2aba34 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -9,6 +9,8 @@ on: - stable - v* +permissions: read-all + concurrency: group: test-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/configure.yml b/.github/workflows/configure.yml index b469a69d..4ae22281 100644 --- a/.github/workflows/configure.yml +++ b/.github/workflows/configure.yml @@ -9,6 +9,9 @@ on: - stable - v* +permissions: + contents: read + env: # For cmake: VERBOSE: 1 diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 46489feb..b8242ee5 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -12,6 +12,9 @@ on: - stable - "v*" +permissions: + contents: read + env: FORCE_COLOR: 3 # For cmake: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 165a2fd8..858a4a0e 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -3,10 +3,15 @@ on: pull_request_target: types: [closed] +permissions: {} + jobs: label: name: Labeler runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - uses: actions/labeler@main diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml index 6d9be3b1..c1feb6fe 100644 --- a/.github/workflows/pip.yml +++ b/.github/workflows/pip.yml @@ -12,6 +12,9 @@ on: types: - published +permissions: + contents: read + env: PIP_ONLY_BINARY: numpy diff --git a/.github/workflows/upstream.yml b/.github/workflows/upstream.yml index be643ddf..4acfbfce 100644 --- a/.github/workflows/upstream.yml +++ b/.github/workflows/upstream.yml @@ -5,6 +5,9 @@ on: workflow_dispatch: pull_request: +permissions: + contents: read + concurrency: group: upstream-${{ github.ref }} cancel-in-progress: true |