diff --git a/.github/workflows/check-certificates.yml b/.github/workflows/check-certificates.yml index f6f6feb54..94e4d9662 100644 --- a/.github/workflows/check-certificates.yml +++ b/.github/workflows/check-certificates.yml @@ -27,6 +27,7 @@ jobs: (github.event_name != 'pull_request' && github.repository == 'arduino/arduino-lint') || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'arduino/arduino-lint') runs-on: ubuntu-latest + permissions: {} strategy: fail-fast: false diff --git a/.github/workflows/check-code-generation-task.yml b/.github/workflows/check-code-generation-task.yml index ce58df7f1..cc5a18929 100644 --- a/.github/workflows/check-code-generation-task.yml +++ b/.github/workflows/check-code-generation-task.yml @@ -28,6 +28,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -51,6 +52,7 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout local repository diff --git a/.github/workflows/check-general-formatting-task.yml b/.github/workflows/check-general-formatting-task.yml index e1c202b66..fdac37332 100644 --- a/.github/workflows/check-general-formatting-task.yml +++ b/.github/workflows/check-general-formatting-task.yml @@ -14,6 +14,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables diff --git a/.github/workflows/check-go-dependencies-task.yml b/.github/workflows/check-go-dependencies-task.yml index f502f907d..c62a2eb86 100644 --- a/.github/workflows/check-go-dependencies-task.yml +++ b/.github/workflows/check-go-dependencies-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -118,6 +121,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-go-task.yml b/.github/workflows/check-go-task.yml index 8f0c89862..b99650ef4 100644 --- a/.github/workflows/check-go-task.yml +++ b/.github/workflows/check-go-task.yml @@ -28,6 +28,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -54,6 +55,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -89,6 +92,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -127,6 +132,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -165,6 +172,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -203,6 +212,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/.github/workflows/check-license.yml b/.github/workflows/check-license.yml index 7fc08d060..9bb2d3398 100644 --- a/.github/workflows/check-license.yml +++ b/.github/workflows/check-license.yml @@ -31,6 +31,8 @@ on: jobs: check-license: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-markdown-task.yml b/.github/workflows/check-markdown-task.yml index 5a17b249c..747fcbb0f 100644 --- a/.github/workflows/check-markdown-task.yml +++ b/.github/workflows/check-markdown-task.yml @@ -36,6 +36,8 @@ on: jobs: lint: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -55,6 +57,8 @@ jobs: links: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-mkdocs-task.yml b/.github/workflows/check-mkdocs-task.yml index 669456638..cbac829b5 100644 --- a/.github/workflows/check-mkdocs-task.yml +++ b/.github/workflows/check-mkdocs-task.yml @@ -37,6 +37,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-prettier-formatting-task.yml b/.github/workflows/check-prettier-formatting-task.yml index 68247c876..d89bb09a0 100644 --- a/.github/workflows/check-prettier-formatting-task.yml +++ b/.github/workflows/check-prettier-formatting-task.yml @@ -201,6 +201,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-python-task.yml b/.github/workflows/check-python-task.yml index 81762a784..946c10147 100644 --- a/.github/workflows/check-python-task.yml +++ b/.github/workflows/check-python-task.yml @@ -33,6 +33,8 @@ on: jobs: lint: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -60,6 +62,8 @@ jobs: formatting: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-shell-task.yml b/.github/workflows/check-shell-task.yml index 837585cce..dce1620ae 100644 --- a/.github/workflows/check-shell-task.yml +++ b/.github/workflows/check-shell-task.yml @@ -27,6 +27,8 @@ jobs: lint: name: ${{ matrix.configuration.name }} runs-on: ubuntu-latest + permissions: + contents: read env: # See: https://github.com/koalaman/shellcheck/releases/latest @@ -89,6 +91,8 @@ jobs: formatting: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables @@ -132,6 +136,8 @@ jobs: executable: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-workflows-task.yml b/.github/workflows/check-workflows-task.yml index 5b5287c52..60a44e049 100644 --- a/.github/workflows/check-workflows-task.yml +++ b/.github/workflows/check-workflows-task.yml @@ -20,6 +20,8 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/deploy-cobra-mkdocs-versioned-poetry.yml b/.github/workflows/deploy-cobra-mkdocs-versioned-poetry.yml index 472011e8c..f2a456858 100644 --- a/.github/workflows/deploy-cobra-mkdocs-versioned-poetry.yml +++ b/.github/workflows/deploy-cobra-mkdocs-versioned-poetry.yml @@ -32,6 +32,7 @@ on: jobs: publish-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -51,6 +52,8 @@ jobs: runs-on: ubuntu-latest needs: publish-determination if: needs.publish-determination.outputs.result == 'true' + permissions: + contents: write steps: - name: Checkout repository diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml index db94b4a64..1b074b483 100644 --- a/.github/workflows/publish-go-nightly-task.yml +++ b/.github/workflows/publish-go-nightly-task.yml @@ -21,6 +21,8 @@ on: jobs: create-nightly-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -66,6 +68,9 @@ jobs: checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }} checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }} + permissions: + contents: read + env: GON_CONFIG_PATH: gon.config.hcl @@ -166,6 +171,7 @@ jobs: publish-nightly: runs-on: ubuntu-latest needs: notarize-macos + permissions: {} steps: - name: Download artifact @@ -194,6 +200,7 @@ jobs: runs-on: ubuntu-latest needs: publish-nightly if: failure() # Run if publish-nightly or any of its job dependencies failed + permissions: {} steps: - name: Report failure diff --git a/.github/workflows/publish-go-tester-task.yml b/.github/workflows/publish-go-tester-task.yml index b97a385c2..8f2094b4f 100644 --- a/.github/workflows/publish-go-tester-task.yml +++ b/.github/workflows/publish-go-tester-task.yml @@ -34,6 +34,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -57,6 +58,7 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: {} outputs: prefix: ${{ steps.calculation.outputs.prefix }} steps: @@ -75,6 +77,8 @@ jobs: needs: package-name-prefix name: Build ${{ matrix.os.name }} runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -135,6 +139,8 @@ jobs: - build - package-name-prefix runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Download build artifacts diff --git a/.github/workflows/release-go-task.yml b/.github/workflows/release-go-task.yml index 9f01394c6..da62d95d0 100644 --- a/.github/workflows/release-go-task.yml +++ b/.github/workflows/release-go-task.yml @@ -18,6 +18,8 @@ on: jobs: create-release-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -71,6 +73,8 @@ jobs: outputs: checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }} checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }} + permissions: + contents: read env: GON_CONFIG_PATH: gon.config.hcl @@ -172,6 +176,8 @@ jobs: create-release: runs-on: ubuntu-latest needs: notarize-macos + permissions: + contents: write steps: - name: Download artifact diff --git a/.github/workflows/spell-check-task.yml b/.github/workflows/spell-check-task.yml index bebccd627..80693309f 100644 --- a/.github/workflows/spell-check-task.yml +++ b/.github/workflows/spell-check-task.yml @@ -18,6 +18,8 @@ on: jobs: spellcheck: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/sync-labels.yml b/.github/workflows/sync-labels.yml index 70085bdef..467bb5b7e 100644 --- a/.github/workflows/sync-labels.yml +++ b/.github/workflows/sync-labels.yml @@ -24,6 +24,8 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -55,6 +57,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -82,6 +85,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables diff --git a/.github/workflows/test-go-integration-task.yml b/.github/workflows/test-go-integration-task.yml index d78c7e39b..31419f75a 100644 --- a/.github/workflows/test-go-integration-task.yml +++ b/.github/workflows/test-go-integration-task.yml @@ -38,6 +38,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -60,6 +61,8 @@ jobs: test: needs: run-determination if: needs.run-determination.outputs.result == 'true' + permissions: + contents: read strategy: matrix: diff --git a/.github/workflows/test-go-task.yml b/.github/workflows/test-go-task.yml index c561e2f30..e78ec447d 100644 --- a/.github/workflows/test-go-task.yml +++ b/.github/workflows/test-go-task.yml @@ -34,6 +34,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -57,6 +58,8 @@ jobs: name: test (${{ matrix.module.path }} - ${{ matrix.operating-system }}) needs: run-determination if: needs.run-determination.outputs.result == 'true' + permissions: + contents: read strategy: fail-fast: false diff --git a/.github/workflows/test-install.yml b/.github/workflows/test-install.yml index 738f8b928..9ab87d36f 100644 --- a/.github/workflows/test-install.yml +++ b/.github/workflows/test-install.yml @@ -21,6 +21,7 @@ env: jobs: default: + permissions: {} strategy: fail-fast: false @@ -47,6 +48,7 @@ jobs: "${PWD}/bin/${{ env.TOOL_NAME }}" --version bindir: + permissions: {} strategy: fail-fast: false @@ -80,6 +82,7 @@ jobs: "${{ env.BINDIR }}/${{ env.TOOL_NAME }}" --version version: + permissions: {} strategy: fail-fast: false @@ -109,6 +112,7 @@ jobs: "${PWD}/bin/${{ env.TOOL_NAME }}" --version | grep --fixed-strings "${{ env.VERSION }}" nightly: + permissions: {} strategy: fail-fast: false