projects / systemd / .git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 10b1c3c)
ci: mimic the "restricted" mode
authorEvgeny Vereshchagin <evvers@ya.ru>
Sat, 13 Nov 2021 22:34:04 +0000 (22:34 +0000)
committerFrantisek Sumsal <frantisek@sumsal.cz>
Sun, 14 Nov 2021 10:41:06 +0000 (10:41 +0000)
Judging by https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
it should be enough to grant the "read contents" permission to
most of our actions. The "read metadata" permission is set impliciclty
somewhere and can't be set via the "permissions" setting:
```
The workflow is not valid. .github/workflows/linter.yml (Line: 14, Col: 3): Unexpected value 'metadata'
```

.github/workflows/build_test.yml patch | blob | history
.github/workflows/cifuzz.yml patch | blob | history
.github/workflows/coverity.yml patch | blob | history
.github/workflows/linter.yml patch | blob | history
.github/workflows/mkosi.yml patch | blob | history
.github/workflows/unit_tests.yml patch | blob | history

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index c446fc41ba169704aae64d3e0d8c15586c2f3106..887dfabf0555f88dafeccc04e4df60c429b1c306 100644 (file)
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -12,7 +12,8 @@ on:
       - 'src/**'
       - 'test/fuzz/**'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 6c02b1da1e5063eef44e68703777bdeced5aa2cf..25a1a6ebebaf5fe1e7b8232bfaa8784d4a5d9303 100644 (file)
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -5,7 +5,8 @@
 
 name: CIFuzz
 
-permissions: read-all
+permissions:
+  contents: read
 
 on:
   pull_request:
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index 7b1d1217f38078503f948cbd85c0fca2ee351c72..a164d16fbf07ee0ee0eef63a5d2846d3fa55283d 100644 (file)
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -9,7 +9,8 @@ on:
     # Run Coverity daily at midnight
     - cron:  '0 0 * * *'
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 3905b7a6438203d2ac2674b737a2594fc09ddc58..7bceabd5ce3a862ef17561cff97f8875b07b0a14 100644 (file)
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -10,7 +10,8 @@ on:
       - main
       - v[0-9]+-stable
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build:
diff --git a/.github/workflows/mkosi.yml b/.github/workflows/mkosi.yml
index 533c8be968018581b9bc8925dd63c76c8a714d04..6294742758dbc4db5de3bcb1c23f6b14e614219c 100644 (file)
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@@ -14,7 +14,8 @@ on:
       - main
       - v[0-9]+-stable
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   ci:
diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
index 3f37fe866bc0a3776b8dd5a5ae02d426ff6264cb..1458732d2b8e9f9fed554b9cb05fa9d0380215de 100644 (file)
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@@ -9,7 +9,8 @@ on:
       - main
       - v[0-9]+-stable
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   build:
https://github.com/systemd/systemd.git