diff --git a/.github/workflows/EVENT_merge_to_master.yml b/.github/workflows/EVENT_merge_to_master.yml index 791186ca6..d49415792 100644 --- a/.github/workflows/EVENT_merge_to_master.yml +++ b/.github/workflows/EVENT_merge_to_master.yml @@ -8,7 +8,7 @@ on: workflow_call: permissions: - contents: write + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -41,6 +41,9 @@ jobs: if: ${{ success() }} name: Success runs-on: ubuntu-latest + permissions: + contents: write + statuses: write steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 diff --git a/.github/workflows/EVENT_pull_request.yml b/.github/workflows/EVENT_pull_request.yml index 33c2cc2b1..7c9f50e40 100644 --- a/.github/workflows/EVENT_pull_request.yml +++ b/.github/workflows/EVENT_pull_request.yml @@ -18,6 +18,8 @@ jobs: get_changed_files: name: Get changed files uses: ./.github/workflows/JOB_get_changed_files.yml + permissions: + contents: read format: name: Check format of python @@ -25,6 +27,8 @@ jobs: uses: ./.github/workflows/JOB_format.yml with: files: ${{ needs.get_changed_files.outputs.python_changed_files }} + permissions: + contents: read lint: name: Lint python @@ -32,6 +36,8 @@ jobs: uses: ./.github/workflows/JOB_lint.yml with: files: ${{ needs.get_changed_files.outputs.python_changed_files }} + permissions: + contents: read # typecheck: # name: Analyse types in python @@ -39,7 +45,11 @@ jobs: # uses: ./.github/workflows/JOB_typecheck.yml # with: # files: ${{ needs.get_changed_files.outputs.python_changed_files }} + # permissions: + # contents: read run_tests: name: Run tests uses: ./.github/workflows/JOB_tests.yml + permissions: + contents: read diff --git a/.github/workflows/EVENT_release.yml b/.github/workflows/EVENT_release.yml index 088005d8c..7341c249b 100644 --- a/.github/workflows/EVENT_release.yml +++ b/.github/workflows/EVENT_release.yml @@ -23,7 +23,7 @@ on: required: false permissions: - contents: write + contents: read env: release_id: ${{ inputs.release_id || github.event.release.id }} @@ -34,6 +34,8 @@ env: jobs: validate_tag: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 @@ -73,6 +75,7 @@ jobs: runs-on: ubuntu-latest permissions: id-token: write + contents: write steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: @@ -101,6 +104,7 @@ jobs: runs-on: ubuntu-latest permissions: id-token: write + contents: write steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 diff --git a/.github/workflows/EVENT_tag.yml b/.github/workflows/EVENT_tag.yml index db2366f4a..bd4c16c0a 100644 --- a/.github/workflows/EVENT_tag.yml +++ b/.github/workflows/EVENT_tag.yml @@ -21,6 +21,8 @@ jobs: create_release: name: Create Release runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 @@ -41,4 +43,3 @@ jobs: release_name: ${{ github.ref }} draft: true prerelease: false - diff --git a/.github/workflows/EVENT_update-linear-labels.yml b/.github/workflows/EVENT_update-linear-labels.yml index 1ec8f1ffa..a95b76b7f 100644 --- a/.github/workflows/EVENT_update-linear-labels.yml +++ b/.github/workflows/EVENT_update-linear-labels.yml @@ -13,6 +13,8 @@ jobs: if: github.ref_name != 'master' && !github.event.pull_request.head.repo.fork name: Update Linear runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 diff --git a/.github/workflows/JOB_check-master-can-release.yml b/.github/workflows/JOB_check-master-can-release.yml index 3b9bef353..aecc78304 100644 --- a/.github/workflows/JOB_check-master-can-release.yml +++ b/.github/workflows/JOB_check-master-can-release.yml @@ -10,6 +10,8 @@ permissions: jobs: check-master-can-release: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 @@ -51,4 +53,3 @@ jobs: if (commits.length === 0) { throw new Error('No commits in master since last release'); } - diff --git a/.github/workflows/JOB_e2e.yml b/.github/workflows/JOB_e2e.yml index 62db2670e..9fc8d1705 100644 --- a/.github/workflows/JOB_e2e.yml +++ b/.github/workflows/JOB_e2e.yml @@ -21,6 +21,8 @@ on: jobs: e2e: name: End to End Testing + permissions: + contents: read strategy: fail-fast: false matrix: @@ -62,6 +64,8 @@ jobs: name: Slack Notifier Bot needs: e2e if: failure() && github.event_name == 'schedule' + permissions: + contents: read uses: ./.github/workflows/JOB_slack_message.yml with: message: | diff --git a/.github/workflows/JOB_lint.yml b/.github/workflows/JOB_lint.yml index 269fd72f6..3aa556782 100644 --- a/.github/workflows/JOB_lint.yml +++ b/.github/workflows/JOB_lint.yml @@ -16,6 +16,8 @@ jobs: lint: if: ${{ inputs.files != '' }} runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Harden Runner uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 diff --git a/deploy/_filter_files.py b/deploy/_filter_files.py index ae183fa44..23856c96d 100755 --- a/deploy/_filter_files.py +++ b/deploy/_filter_files.py @@ -11,11 +11,7 @@ def main(argv: List[str]) -> None: if file_extension.startswith("."): file_extension = file_extension[1:] - files_out = [ - file - for file in files_in - if file.endswith(f".{file_extension}") and "future" in file - ] + files_out = [file for file in files_in if file.endswith(f".{file_extension}")] print(" ".join(files_out))