From b182f81a62243c0f05baee8c92b81cd1cc894f35 Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 25 Sep 2022 16:17:38 +0200 Subject: [PATCH 1/2] build: harden GnuTests.yml permissions Signed-off-by: Alex --- .github/workflows/GnuTests.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/GnuTests.yml b/.github/workflows/GnuTests.yml index 2820c8eae..b36a97cac 100644 --- a/.github/workflows/GnuTests.yml +++ b/.github/workflows/GnuTests.yml @@ -6,6 +6,9 @@ name: GnuTests on: [push, pull_request] +permissions: + contents: read + jobs: gnu: permissions: From 1138c906fe9875ecd1dc778dd274875204e2941a Mon Sep 17 00:00:00 2001 From: Alex Date: Sun, 25 Sep 2022 16:30:33 +0200 Subject: [PATCH 2/2] build: harden CICD.yml permissions Signed-off-by: Alex --- .github/workflows/CICD.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml index e59265aea..f7f54771b 100644 --- a/.github/workflows/CICD.yml +++ b/.github/workflows/CICD.yml @@ -17,6 +17,9 @@ env: on: [push, pull_request] +permissions: + contents: read # to fetch code (actions/checkout) + jobs: cargo-deny: name: Style/cargo-deny @@ -532,6 +535,9 @@ jobs: path: size-result.json build: + permissions: + contents: write # to create GitHub release (softprops/action-gh-release) + name: Build needs: [ min_version, deps ] runs-on: ${{ matrix.job.os }}