From aee5051526414af60ce50ad9d31985e405fdb80e Mon Sep 17 00:00:00 2001 From: Wilson Snyder Date: Sun, 11 May 2025 17:43:48 -0400 Subject: [PATCH] CI: Reduce action permissions per best practices --- .github/workflows/build.yml | 3 +++ .github/workflows/contributor.yml | 2 ++ .github/workflows/coverage.yml | 3 +++ .github/workflows/docker.yml | 3 +++ .github/workflows/format.yml | 2 ++ .github/workflows/msbuild.yml | 2 ++ .github/workflows/reusable-rtlmeter-run.yml | 2 +- .github/workflows/rtlmeter.yml | 9 +++++---- 8 files changed, 21 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d90bc3241..f5d4e7978 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,9 @@ on: schedule: - cron: '0 0 * * 0' # weekly +permissions: + contents: read + defaults: run: shell: bash diff --git a/.github/workflows/contributor.yml b/.github/workflows/contributor.yml index 6485aaf48..64128c3b8 100644 --- a/.github/workflows/contributor.yml +++ b/.github/workflows/contributor.yml @@ -7,6 +7,8 @@ on: push: pull_request: workflow_dispatch: +permissions: + contents: read jobs: Test: name: "'docs/CONTRIBUTORS' was signed" diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 5fb56e65a..970b93efb 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -9,6 +9,9 @@ on: schedule: - cron: '0 0 * * 0' # weekly +permissions: + contents: read + env: CI_OS_NAME: linux CI_COMMIT: ${{ github.sha }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index af7a21502..fa59cadb2 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -22,6 +22,9 @@ on: type: boolean default: false +permissions: + contents: write + jobs: build: diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml index 4fbd884c5..ba0d6a892 100644 --- a/.github/workflows/format.yml +++ b/.github/workflows/format.yml @@ -7,6 +7,8 @@ on: push: pull_request_target: workflow_dispatch: +permissions: + contents: write jobs: format: runs-on: ubuntu-22.04 diff --git a/.github/workflows/msbuild.yml b/.github/workflows/msbuild.yml index b7e5677c6..4555e497d 100644 --- a/.github/workflows/msbuild.yml +++ b/.github/workflows/msbuild.yml @@ -10,6 +10,8 @@ on: workflow_dispatch: schedule: - cron: 0 0 * * 0 # weekly +permissions: + contents: read env: CI_OS_NAME: win CI_COMMIT: ${{ github.sha }} diff --git a/.github/workflows/reusable-rtlmeter-run.yml b/.github/workflows/reusable-rtlmeter-run.yml index 12f73a3de..e3d62fd3b 100644 --- a/.github/workflows/reusable-rtlmeter-run.yml +++ b/.github/workflows/reusable-rtlmeter-run.yml @@ -84,7 +84,7 @@ jobs: - name: Execute cases working-directory: rtlmeter - continue-on-error: true # Do not fail on error, so we can at leat save the successful results + continue-on-error: true # Do not fail on error, so we can at leat save the successful results run: | ./rtlmeter run --verbose --cases='${{ inputs.cases }}' --compileArgs='${{ inputs.compileArgs }}' --executeArgs='${{ inputs.executeArgs }}' # My YAML highlighter sucks, so I put this comment here wiht a phony closing quote mark to make it work: ' diff --git a/.github/workflows/rtlmeter.yml b/.github/workflows/rtlmeter.yml index cb2e43edf..549da1950 100644 --- a/.github/workflows/rtlmeter.yml +++ b/.github/workflows/rtlmeter.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '0 2 * * *' # Daily, starting at 02:00 UTC +permissions: + contents: read + defaults: run: shell: bash @@ -115,10 +118,8 @@ jobs: combine-results: name: Combine results - needs: - - run-gcc - - run-clang - if: ${{ always() }} # Run even if dependencies failed + needs: [run-gcc, run-clang] + if: ${{ always() }} # Run even if dependencies failed runs-on: ubuntu-24.04 steps: - name: Download all GCC results