mirror of
https://github.com/ivuorinen/hiha-arvio.git
synced 2026-01-26 03:14:00 +00:00
security: add explicit permissions to all workflow jobs
- Add least-privilege permissions to all GitHub Actions jobs - Fixes 8 CodeQL security findings (actions/missing-workflow-permissions) - Build jobs: contents:read, actions:write - Release job: contents:write, actions:read - Test job: contents:read, checks:write, actions:write - Status jobs: no permissions needed Follows principle of least privilege and GitHub Actions security best practices.
This commit is contained in:
7
.github/workflows/build.yml
vendored
7
.github/workflows/build.yml
vendored
@@ -11,6 +11,9 @@ jobs:
|
||||
build-ios:
|
||||
name: Build iOS
|
||||
runs-on: macos-latest
|
||||
permissions:
|
||||
contents: read
|
||||
actions: write
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
@@ -39,6 +42,9 @@ jobs:
|
||||
build-maccatalyst:
|
||||
name: Build macOS Catalyst
|
||||
runs-on: macos-latest
|
||||
permissions:
|
||||
contents: read
|
||||
actions: write
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
@@ -69,6 +75,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [build-ios, build-maccatalyst]
|
||||
if: always()
|
||||
permissions: {}
|
||||
|
||||
steps:
|
||||
- name: Check build status
|
||||
|
||||
10
.github/workflows/publish.yml
vendored
10
.github/workflows/publish.yml
vendored
@@ -18,6 +18,9 @@ jobs:
|
||||
build-ios:
|
||||
name: Build iOS
|
||||
runs-on: macos-latest
|
||||
permissions:
|
||||
contents: read
|
||||
actions: write
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
@@ -72,6 +75,9 @@ jobs:
|
||||
build-maccatalyst:
|
||||
name: Build macOS
|
||||
runs-on: macos-latest
|
||||
permissions:
|
||||
contents: read
|
||||
actions: write
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
@@ -128,6 +134,9 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [build-ios, build-maccatalyst]
|
||||
if: always() && needs.build-ios.result == 'success' && needs.build-maccatalyst.result == 'success'
|
||||
permissions:
|
||||
contents: write
|
||||
actions: read
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
@@ -203,6 +212,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [build-ios, build-maccatalyst, create-release]
|
||||
if: always()
|
||||
permissions: {}
|
||||
|
||||
steps:
|
||||
- name: Check publish status
|
||||
|
||||
4
.github/workflows/test.yml
vendored
4
.github/workflows/test.yml
vendored
@@ -10,6 +10,10 @@ jobs:
|
||||
test:
|
||||
name: Run Tests
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
contents: read
|
||||
checks: write
|
||||
actions: write
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
|
||||
Reference in New Issue
Block a user