Skip to content

Commit

Permalink
ci: Improved security on workflows. (#903)
Browse files Browse the repository at this point in the history
  • Loading branch information
Jaskowicz1 authored Oct 1, 2023
1 parent e5f0a71 commit 0cb41f5
Show file tree
Hide file tree
Showing 12 changed files with 55 additions and 3 deletions.
2 changes: 1 addition & 1 deletion .github/labeler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ packaging:
- '**Dockerfile'
submodules:
- '**.gitmodules'
github_action:
github_actions:
- '**/.github/labeler.yml'
- '**/.github/dependabot.yml'
- '**/.github/workflows/**'
12 changes: 12 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,9 +21,13 @@ on:
- '**ci.yml'
- '**CMakeLists.txt'

permissions:
contents: read

jobs:
linux-with-unit-test:
permissions:
contents: write
concurrency:
group: linux-build-unit-test
cancel-in-progress: false
Expand Down Expand Up @@ -66,6 +70,8 @@ jobs:
TEST_EVENT_ID: ${{secrets.TEST_EVENT_ID}}

linux-no-unit-tests:
permissions:
contents: write
name: Linux ${{matrix.cfg.arch}} (${{matrix.cfg.cpp-version}})
runs-on: ${{matrix.cfg.os}}
strategy:
Expand Down Expand Up @@ -116,6 +122,8 @@ jobs:
path: '${{github.workspace}}/build/*.rpm'

macos:
permissions:
contents: write
name: macOS x64
runs-on: macos-latest
steps:
Expand All @@ -141,6 +149,8 @@ jobs:
DONT_RUN_VCPKG: true

windows: # Windows x64 and x86 build matrix
permissions:
contents: write
strategy:
fail-fast: false # Don't cancel other matrix jobs if one fails
matrix:
Expand Down Expand Up @@ -206,6 +216,8 @@ jobs:
path: '${{github.workspace}}/main/build/*.zip'

cross-compiles:
permissions:
contents: write
strategy:
fail-fast: false
matrix:
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/construct-vcpkg-info.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,13 @@ on:
types: [published]
workflow_dispatch:

permissions:
contents: read

jobs:
Collect-Vcpkg-Info:
permissions:
contents: write # Allow the creation of a release.
runs-on: ubuntu-latest
steps:
- name: Harden Runner
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,14 @@ on:
schedule:
- cron: '0 0 * * *'

permissions:
contents: read

jobs:
docker:
permissions:
deployments: write # Docker needs to be able to deploy and package.
packages: write
if: github.repository == 'brainboxdotcc/DPP'
runs-on: ubuntu-latest
concurrency:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/documentation-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ on:
files:
- '**/documentation-check.yml'

permissions:
contents: read # This only needs to read the contents of a PR.

jobs:
docs:
name: Check Documentation Spelling
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/documentation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,13 @@ on:
- '**/*.h'
- '**/documentation.yml'

permissions:
contents: read

jobs:
docs:
permissions:
contents: write # Needs to be able to write to the repo.
name: Build Documentation
runs-on: ubuntu-20.04

Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/gitguardian.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ name: GitGuardian scan

on: [push]

permissions:
contents: read # GitGuardian only needs to read.

jobs:
scanning:
name: GitGuardian scan
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/labeler.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,7 @@ permissions:
jobs:
triage:
permissions:
contents: read
pull-requests: write
pull-requests: write # Labeler needs to be able to add labels to PRs.
runs-on: ubuntu-latest
steps:
- name: Harden Runner
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/sitemap.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,13 @@ on:
schedule:
- cron: '0 6 * * 6'

permissions:
contents: read

jobs:
updater:
permissions:
contents: write # Needs to be able to write to the repo.
name: Generate Sitemap
if: github.repository == 'brainboxdotcc/DPP'
runs-on: ubuntu-20.04
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,14 @@ on:
schedule:
- cron: '30 1 * * *'

permissions:
contents: read # By default, only read.

jobs:
stale:
permissions:
issues: write # for actions/stale to close stale issues
pull-requests: write # for actions/stale to close stale PRs
runs-on: ubuntu-latest
steps:
- name: Harden Runner
Expand Down
5 changes: 5 additions & 0 deletions .github/workflows/target-master.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,13 @@ on:
branches:
- 'master'

permissions:
contents: read

jobs:
run:
permissions:
pull-requests: write # Needs to be able to close a PR.
runs-on: ubuntu-latest
steps:
- name: Harden Runner
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test-docs-examples.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ on:
- '**Doxyfile'
- '**docpages/example_code/**'
workflow_dispatch:

permissions:
contents: read

jobs:
test_docs_examples:
Expand Down

0 comments on commit 0cb41f5

Please sign in to comment.