mirror of
https://github.com/PrismLauncher/PrismLauncher
synced 2026-04-23 09:05:03 +00:00
Harden CI permissions (#4950)
This commit is contained in:
commit
9e86c44f7c
3
.github/workflows/backport.yml
vendored
3
.github/workflows/backport.yml
vendored
|
|
@ -8,8 +8,7 @@ on:
|
|||
# the GitHub repository. This means that it should not evaluate user input in a
|
||||
# way that allows code injection.
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
backport:
|
||||
|
|
|
|||
2
.github/workflows/blocked-prs.yml
vendored
2
.github/workflows/blocked-prs.yml
vendored
|
|
@ -14,6 +14,8 @@ on:
|
|||
required: true
|
||||
type: number
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
blocked_status:
|
||||
name: Check Blocked Status
|
||||
|
|
|
|||
3
.github/workflows/build.yml
vendored
3
.github/workflows/build.yml
vendored
|
|
@ -24,6 +24,8 @@ on:
|
|||
type: string
|
||||
default: Debug
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
build:
|
||||
name: Build (${{ matrix.artifact-name }})
|
||||
|
|
@ -31,6 +33,7 @@ jobs:
|
|||
environment: ${{ inputs.environment || '' }}
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
# Required for Azure Trusted Signing
|
||||
id-token: write
|
||||
# Required for vcpkg binary cache
|
||||
|
|
|
|||
6
.github/workflows/codeql.yml
vendored
6
.github/workflows/codeql.yml
vendored
|
|
@ -10,10 +10,16 @@ on:
|
|||
pull_request:
|
||||
workflow_dispatch:
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
CodeQL:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v6
|
||||
|
|
|
|||
2
.github/workflows/merge-blocking-pr.yml
vendored
2
.github/workflows/merge-blocking-pr.yml
vendored
|
|
@ -11,6 +11,8 @@ on:
|
|||
required: true
|
||||
type: number
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
update-blocked-status:
|
||||
name: Update Blocked Status
|
||||
|
|
|
|||
6
.github/workflows/nix.yml
vendored
6
.github/workflows/nix.yml
vendored
|
|
@ -66,8 +66,7 @@ on:
|
|||
- ".github/workflows/nix.yml"
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
permissions: {}
|
||||
|
||||
env:
|
||||
DEBUG: ${{ github.ref_type != 'tag' }}
|
||||
|
|
@ -76,6 +75,9 @@ jobs:
|
|||
build:
|
||||
name: Build (${{ matrix.system }})
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
|
|
|
|||
6
.github/workflows/publish.yml
vendored
6
.github/workflows/publish.yml
vendored
|
|
@ -4,13 +4,15 @@ on:
|
|||
release:
|
||||
types: [ released ]
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
winget:
|
||||
name: Winget
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
runs-on: ubuntu-slim
|
||||
|
||||
steps:
|
||||
|
|
|
|||
10
.github/workflows/release.yml
vendored
10
.github/workflows/release.yml
vendored
|
|
@ -5,10 +5,18 @@ on:
|
|||
tags:
|
||||
- "*"
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
build_release:
|
||||
name: Build Release
|
||||
uses: ./.github/workflows/build.yml
|
||||
permissions:
|
||||
contents: read
|
||||
# Required for Azure Trusted Signing
|
||||
id-token: write
|
||||
# Required for vcpkg binary cache
|
||||
packages: write
|
||||
with:
|
||||
build-type: Release
|
||||
environment: Release
|
||||
|
|
@ -16,6 +24,8 @@ jobs:
|
|||
|
||||
create_release:
|
||||
needs: build_release
|
||||
permissions:
|
||||
contents: write
|
||||
runs-on: ubuntu-slim
|
||||
outputs:
|
||||
upload_url: ${{ steps.create_release.outputs.upload_url }}
|
||||
|
|
|
|||
2
.github/workflows/stale.yml
vendored
2
.github/workflows/stale.yml
vendored
|
|
@ -6,6 +6,8 @@ on:
|
|||
- cron: "0 0 * * 0"
|
||||
workflow_dispatch:
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
label:
|
||||
name: Label issues and PRs
|
||||
|
|
|
|||
9
.github/workflows/update-flake.yml
vendored
9
.github/workflows/update-flake.yml
vendored
|
|
@ -6,13 +6,16 @@ on:
|
|||
- cron: "0 0 * * 0"
|
||||
workflow_dispatch:
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
update-flake:
|
||||
if: github.repository == 'PrismLauncher/PrismLauncher'
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
pull-requests: write
|
||||
|
||||
runs-on: ubuntu-slim
|
||||
|
||||
steps:
|
||||
|
|
|
|||
Loading…
Reference in a new issue