open-source-mirrors
/
recyclarr
mirror of https://github.com/recyclarr/recyclarr
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ci: Explicit and more restrictive workflow permissions

Browse Source 
Implements principle of least privilege
pull/438/head
Robert Dailey 1 month ago
parent 12f5de55ea
commit 69756e4269
8 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File

4
.github/workflows/build.yml vendored
Unescape View File

@ -5,6 +5,8 @@ on:
push:
pull_request:
permissions: read-all
jobs:
#############################################
build-win:
@ -153,6 +155,8 @@ jobs:
name: Release
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
permissions:
contents: write
needs:
- build-win
- build-linux

2
.github/workflows/docker-hub.yml vendored
Unescape View File

@ -9,6 +9,8 @@ on:
- .github/workflows/docker-hub.yml
workflow_dispatch:
permissions: read-all
jobs:
readme:
name: Update Repo Metadata

2
.github/workflows/inspect-code.yml vendored
Unescape View File

@ -18,6 +18,8 @@ env:
(github.event.base_ref || github.event.pull_request.base.ref || 'master') }}
dotnetVersion: 9.0.x
permissions: read-all
jobs:
inspect:
name: Resharper Inspect Code

2
.github/workflows/markdown-lint.yml vendored
Unescape View File

@ -17,6 +17,8 @@ on:
- "!src/**"
- "!tests/**"
permissions: read-all
jobs:
markdownlint:
name: Markdown Lint

2
.github/workflows/notify.yml vendored
Unescape View File

@ -14,6 +14,8 @@ on:
env:
TAG: ${{ github.event.release.tag_name || github.event.inputs.tag_name }}
permissions: read-all
jobs:
notify:
name: Discord Notification

2
.github/workflows/reusable-build.yml vendored
Unescape View File

@ -16,6 +16,8 @@ on:
env:
dotnetVersion: 9.0.x
permissions: read-all
jobs:
build:
name: Build, Test, Smoke

2
.github/workflows/reusable-docker.yml vendored
Unescape View File

@ -5,6 +5,8 @@ on:
env:
SHOULD_PUBLISH: ${{ startsWith(github.ref, 'refs/tags/') || github.ref_name == 'master' }}
permissions: read-all
jobs:
docker:
name: Build & Push Docker Image

2
.github/workflows/sonarcloud.yml vendored
Unescape View File

@ -27,6 +27,8 @@ on:
env:
dotnetVersion: 9.0.x
permissions: read-all
jobs:
sonarcloud:
name: SonarCloud

Write Preview
Loading…
Cancel
Save