From eb2db3cd7043b5e0dc4905d24b72f4f09691c3db Mon Sep 17 00:00:00 2001 From: "Matthias J. Kannwischer" Date: Wed, 30 Oct 2024 12:09:11 +0800 Subject: [PATCH] CI: Set top-level workflow permissions to contents: read Most of our jobs don't need any extra permissions, and if they do, this is already set on the job level. This was flagged by the security code scanning: e.g., https://github.com/pq-code-package/mlkem-c-aarch64/security/code-scanning/60 Signed-off-by: Matthias J. Kannwischer --- .github/workflows/bench.yml | 2 ++ .github/workflows/bench_ec2_any.yml | 2 ++ .github/workflows/bench_ec2_reusable.yml | 2 ++ .github/workflows/ci.yml | 2 ++ .github/workflows/ci_ec2_any.yml | 2 ++ .github/workflows/ci_ec2_reusable.yml | 2 ++ 6 files changed, 12 insertions(+) diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index 6c71504a2..2bd16ea4f 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: Bench +permissions: + contents: read on: workflow_dispatch: push: diff --git a/.github/workflows/bench_ec2_any.yml b/.github/workflows/bench_ec2_any.yml index 944414069..6d078a0cf 100644 --- a/.github/workflows/bench_ec2_any.yml +++ b/.github/workflows/bench_ec2_any.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: bench-ec2-any +permissions: + contents: read on: workflow_dispatch: inputs: diff --git a/.github/workflows/bench_ec2_reusable.yml b/.github/workflows/bench_ec2_reusable.yml index fe098f325..bcb079ade 100644 --- a/.github/workflows/bench_ec2_reusable.yml +++ b/.github/workflows/bench_ec2_reusable.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: bench-ec2-reusable +permissions: + contents: read on: workflow_call: inputs: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 00a0874f3..b7bbac609 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: CI +permissions: + contents: read on: workflow_dispatch: push: diff --git a/.github/workflows/ci_ec2_any.yml b/.github/workflows/ci_ec2_any.yml index ed15d3084..ae9f38787 100644 --- a/.github/workflows/ci_ec2_any.yml +++ b/.github/workflows/ci_ec2_any.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: ci-ec2-any +permissions: + contents: read on: workflow_dispatch: inputs: diff --git a/.github/workflows/ci_ec2_reusable.yml b/.github/workflows/ci_ec2_reusable.yml index af0de4fcb..be8f125c6 100644 --- a/.github/workflows/ci_ec2_reusable.yml +++ b/.github/workflows/ci_ec2_reusable.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: ci-ec2-reusable +permissions: + contents: read on: workflow_call: inputs: