diff --git a/.github/workflows/check-ci-sync.yml b/.github/workflows/check-ci-sync.yml index eaf6510f..3960b084 100644 --- a/.github/workflows/check-ci-sync.yml +++ b/.github/workflows/check-ci-sync.yml @@ -27,6 +27,7 @@ on: jobs: check-sync: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-clang-format.yml b/.github/workflows/check-clang-format.yml index c51d2738..9caabe16 100644 --- a/.github/workflows/check-clang-format.yml +++ b/.github/workflows/check-clang-format.yml @@ -39,6 +39,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -60,6 +61,7 @@ jobs: check-config: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -136,6 +138,7 @@ jobs: check-output: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -195,6 +198,7 @@ jobs: check-testdata: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository @@ -211,6 +215,7 @@ jobs: convert: runs-on: ubuntu-latest + permissions: {} steps: - name: Set environment variables diff --git a/.github/workflows/check-community-health-sync.yml b/.github/workflows/check-community-health-sync.yml index 9285c258..226fd4e0 100644 --- a/.github/workflows/check-community-health-sync.yml +++ b/.github/workflows/check-community-health-sync.yml @@ -33,6 +33,7 @@ on: jobs: check-sync: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-config-sync.yml b/.github/workflows/check-config-sync.yml index 23d7a5cd..b1aa0a54 100644 --- a/.github/workflows/check-config-sync.yml +++ b/.github/workflows/check-config-sync.yml @@ -19,6 +19,7 @@ on: jobs: check-sync: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-dependabot.yml b/.github/workflows/check-dependabot.yml index 0f712e9f..a570170b 100644 --- a/.github/workflows/check-dependabot.yml +++ b/.github/workflows/check-dependabot.yml @@ -21,6 +21,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-eslint.yml b/.github/workflows/check-eslint.yml index 14054e2a..eba413ea 100644 --- a/.github/workflows/check-eslint.yml +++ b/.github/workflows/check-eslint.yml @@ -29,6 +29,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-files-task.yml b/.github/workflows/check-files-task.yml index bb5690ed..fe81ab4e 100644 --- a/.github/workflows/check-files-task.yml +++ b/.github/workflows/check-files-task.yml @@ -17,6 +17,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -58,6 +61,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-general-formatting-task.yml b/.github/workflows/check-general-formatting-task.yml index 7a19a414..ab7a1da0 100644 --- a/.github/workflows/check-general-formatting-task.yml +++ b/.github/workflows/check-general-formatting-task.yml @@ -15,6 +15,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables diff --git a/.github/workflows/check-issue-templates.yml b/.github/workflows/check-issue-templates.yml index 8c4b4382..6caa111e 100644 --- a/.github/workflows/check-issue-templates.yml +++ b/.github/workflows/check-issue-templates.yml @@ -21,6 +21,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-javascript-task.yml b/.github/workflows/check-javascript-task.yml index 0eb67590..3a673c89 100644 --- a/.github/workflows/check-javascript-task.yml +++ b/.github/workflows/check-javascript-task.yml @@ -29,12 +29,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -60,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-labels.yml b/.github/workflows/check-labels.yml index b754ed6a..f3776b05 100644 --- a/.github/workflows/check-labels.yml +++ b/.github/workflows/check-labels.yml @@ -23,6 +23,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-license.yml b/.github/workflows/check-license.yml index 7b12f08c..c2b3cbd2 100644 --- a/.github/workflows/check-license.yml +++ b/.github/workflows/check-license.yml @@ -38,6 +38,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -61,6 +62,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-markdown-task.yml b/.github/workflows/check-markdown-task.yml index a2001a8e..bacc784c 100644 --- a/.github/workflows/check-markdown-task.yml +++ b/.github/workflows/check-markdown-task.yml @@ -41,6 +41,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -66,6 +67,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -92,6 +95,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-markdownlint.yml b/.github/workflows/check-markdownlint.yml index 17e1ccac..d58849e2 100644 --- a/.github/workflows/check-markdownlint.yml +++ b/.github/workflows/check-markdownlint.yml @@ -21,6 +21,7 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout repository diff --git a/.github/workflows/check-npm-task.yml b/.github/workflows/check-npm-task.yml index ba79f745..d20b591e 100644 --- a/.github/workflows/check-npm-task.yml +++ b/.github/workflows/check-npm-task.yml @@ -26,12 +26,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +55,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -80,6 +80,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-prettier-formatting-task.yml b/.github/workflows/check-prettier-formatting-task.yml index d999002f..0c664774 100644 --- a/.github/workflows/check-prettier-formatting-task.yml +++ b/.github/workflows/check-prettier-formatting-task.yml @@ -209,6 +209,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -234,6 +235,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-python-task.yml b/.github/workflows/check-python-task.yml index e3e3addb..d19d4fcf 100644 --- a/.github/workflows/check-python-task.yml +++ b/.github/workflows/check-python-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -91,6 +94,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-shell-task.yml b/.github/workflows/check-shell-task.yml index 0ff939ff..7d92e555 100644 --- a/.github/workflows/check-shell-task.yml +++ b/.github/workflows/check-shell-task.yml @@ -27,6 +27,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -53,6 +54,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read env: # See: https://github.com/koalaman/shellcheck/releases/latest @@ -121,6 +124,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables @@ -166,6 +171,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-taskfiles.yml b/.github/workflows/check-taskfiles.yml index 67ce8e69..e42d6500 100644 --- a/.github/workflows/check-taskfiles.yml +++ b/.github/workflows/check-taskfiles.yml @@ -29,6 +29,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -55,6 +56,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/.github/workflows/check-workflows-task.yml b/.github/workflows/check-workflows-task.yml index b996df5a..68617336 100644 --- a/.github/workflows/check-workflows-task.yml +++ b/.github/workflows/check-workflows-task.yml @@ -26,6 +26,8 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/check-yaml-task.yml b/.github/workflows/check-yaml-task.yml index 8234b9a6..90a2c860 100644 --- a/.github/workflows/check-yaml-task.yml +++ b/.github/workflows/check-yaml-task.yml @@ -49,6 +49,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -75,6 +76,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/.github/workflows/spell-check-task.yml b/.github/workflows/spell-check-task.yml index c570c01a..770dd1fa 100644 --- a/.github/workflows/spell-check-task.yml +++ b/.github/workflows/spell-check-task.yml @@ -19,6 +19,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -44,6 +45,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/.github/workflows/sync-labels-npm.yml b/.github/workflows/sync-labels-npm.yml index 79cef012..4ce3b5cc 100644 --- a/.github/workflows/sync-labels-npm.yml +++ b/.github/workflows/sync-labels-npm.yml @@ -30,6 +30,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -65,6 +67,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -91,6 +94,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables diff --git a/.github/workflows/test-install-script.yml b/.github/workflows/test-install-script.yml index bfdccd37..d3477ac0 100644 --- a/.github/workflows/test-install-script.yml +++ b/.github/workflows/test-install-script.yml @@ -24,6 +24,7 @@ env: jobs: configure: runs-on: ubuntu-latest + permissions: {} env: # Placeholder value of the PROJECT_OWNER variable in the template script @@ -60,6 +61,7 @@ jobs: default: needs: configure + permissions: {} strategy: fail-fast: false @@ -92,6 +94,7 @@ jobs: bindir: needs: configure + permissions: {} strategy: fail-fast: false @@ -131,6 +134,7 @@ jobs: version: needs: configure + permissions: {} strategy: fail-fast: false @@ -166,6 +170,7 @@ jobs: nightly: needs: configure + permissions: {} strategy: fail-fast: false @@ -198,6 +203,7 @@ jobs: path-suggestions: needs: configure + permissions: {} strategy: fail-fast: false diff --git a/.github/workflows/test-python-poetry-task.yml b/.github/workflows/test-python-poetry-task.yml index 96e9ee79..e4be1133 100644 --- a/.github/workflows/test-python-poetry-task.yml +++ b/.github/workflows/test-python-poetry-task.yml @@ -35,6 +35,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -58,6 +59,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-action-metadata-task.yml b/workflow-templates/check-action-metadata-task.yml index 8eca242a..91ecba8d 100644 --- a/workflow-templates/check-action-metadata-task.yml +++ b/workflow-templates/check-action-metadata-task.yml @@ -31,6 +31,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -56,6 +57,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-certificates.yml b/workflow-templates/check-certificates.yml index acc9244b..d3d10e2e 100644 --- a/workflow-templates/check-certificates.yml +++ b/workflow-templates/check-certificates.yml @@ -25,6 +25,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -66,6 +67,7 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: {} strategy: fail-fast: false diff --git a/workflow-templates/check-files-task.yml b/workflow-templates/check-files-task.yml index bb5690ed..ba4f5da3 100644 --- a/workflow-templates/check-files-task.yml +++ b/workflow-templates/check-files-task.yml @@ -15,6 +15,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -58,6 +61,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-general-formatting-task.yml b/workflow-templates/check-general-formatting-task.yml index 7a19a414..ab7a1da0 100644 --- a/workflow-templates/check-general-formatting-task.yml +++ b/workflow-templates/check-general-formatting-task.yml @@ -15,6 +15,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -40,6 +41,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables diff --git a/workflow-templates/check-go-dependencies-task.yml b/workflow-templates/check-go-dependencies-task.yml index 686f9500..3f2950fb 100644 --- a/workflow-templates/check-go-dependencies-task.yml +++ b/workflow-templates/check-go-dependencies-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -118,6 +121,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-go-task.yml b/workflow-templates/check-go-task.yml index 77c87cfa..a33ff2ff 100644 --- a/workflow-templates/check-go-task.yml +++ b/workflow-templates/check-go-task.yml @@ -31,6 +31,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -91,6 +94,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -128,6 +133,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -165,6 +172,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false @@ -202,6 +211,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/check-javascript-task.yml b/workflow-templates/check-javascript-task.yml index 0eb67590..3a673c89 100644 --- a/workflow-templates/check-javascript-task.yml +++ b/workflow-templates/check-javascript-task.yml @@ -29,12 +29,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -60,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-license.yml b/workflow-templates/check-license.yml index 7e262055..cc231427 100644 --- a/workflow-templates/check-license.yml +++ b/workflow-templates/check-license.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-markdown-task.yml b/workflow-templates/check-markdown-task.yml index a2001a8e..bacc784c 100644 --- a/workflow-templates/check-markdown-task.yml +++ b/workflow-templates/check-markdown-task.yml @@ -41,6 +41,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -66,6 +67,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -92,6 +95,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-mkdocs-task.yml b/workflow-templates/check-mkdocs-task.yml index 05606854..a6a4033d 100644 --- a/workflow-templates/check-mkdocs-task.yml +++ b/workflow-templates/check-mkdocs-task.yml @@ -33,6 +33,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -58,6 +59,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-npm-dependencies-task.yml b/workflow-templates/check-npm-dependencies-task.yml index d769e4b3..6601a729 100644 --- a/workflow-templates/check-npm-dependencies-task.yml +++ b/workflow-templates/check-npm-dependencies-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -118,6 +121,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-npm-task.yml b/workflow-templates/check-npm-task.yml index ba79f745..d20b591e 100644 --- a/workflow-templates/check-npm-task.yml +++ b/workflow-templates/check-npm-task.yml @@ -26,12 +26,10 @@ on: workflow_dispatch: repository_dispatch: -permissions: - contents: read - jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +55,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -80,6 +80,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-prettier-formatting-task.yml b/workflow-templates/check-prettier-formatting-task.yml index d999002f..0c664774 100644 --- a/workflow-templates/check-prettier-formatting-task.yml +++ b/workflow-templates/check-prettier-formatting-task.yml @@ -209,6 +209,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -234,6 +235,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-python-task.yml b/workflow-templates/check-python-task.yml index e3e3addb..d19d4fcf 100644 --- a/workflow-templates/check-python-task.yml +++ b/workflow-templates/check-python-task.yml @@ -37,6 +37,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -62,6 +63,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -91,6 +94,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-shell-task.yml b/workflow-templates/check-shell-task.yml index 0ff939ff..7d92e555 100644 --- a/workflow-templates/check-shell-task.yml +++ b/workflow-templates/check-shell-task.yml @@ -27,6 +27,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -53,6 +54,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read env: # See: https://github.com/koalaman/shellcheck/releases/latest @@ -121,6 +124,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Set environment variables @@ -166,6 +171,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-taskfiles.yml b/workflow-templates/check-taskfiles.yml index 67ce8e69..e42d6500 100644 --- a/workflow-templates/check-taskfiles.yml +++ b/workflow-templates/check-taskfiles.yml @@ -29,6 +29,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -55,6 +56,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/check-toc-task.yml b/workflow-templates/check-toc-task.yml index b14b132b..86eebf14 100644 --- a/workflow-templates/check-toc-task.yml +++ b/workflow-templates/check-toc-task.yml @@ -31,6 +31,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -57,6 +58,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/check-workflows-task.yml b/workflow-templates/check-workflows-task.yml index 635ae047..3a873bf4 100644 --- a/workflow-templates/check-workflows-task.yml +++ b/workflow-templates/check-workflows-task.yml @@ -28,6 +28,8 @@ on: jobs: validate: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/check-yaml-task.yml b/workflow-templates/check-yaml-task.yml index 8234b9a6..90a2c860 100644 --- a/workflow-templates/check-yaml-task.yml +++ b/workflow-templates/check-yaml-task.yml @@ -49,6 +49,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -75,6 +76,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml b/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml index 3605b779..848ae2d1 100644 --- a/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml +++ b/workflow-templates/deploy-cobra-mkdocs-versioned-poetry.yml @@ -31,6 +31,7 @@ on: jobs: publish-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -56,6 +57,8 @@ jobs: runs-on: ubuntu-latest needs: publish-determination if: needs.publish-determination.outputs.result == 'true' + permissions: + contents: write steps: - name: Checkout repository diff --git a/workflow-templates/deploy-mkdocs-poetry.yml b/workflow-templates/deploy-mkdocs-poetry.yml index f01eb9aa..03b1e518 100644 --- a/workflow-templates/deploy-mkdocs-poetry.yml +++ b/workflow-templates/deploy-mkdocs-poetry.yml @@ -23,6 +23,8 @@ on: jobs: publish: runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout repository diff --git a/workflow-templates/deploy-mkdocs-versioned-poetry.yml b/workflow-templates/deploy-mkdocs-versioned-poetry.yml index 7a1101ae..5ca957e6 100644 --- a/workflow-templates/deploy-mkdocs-versioned-poetry.yml +++ b/workflow-templates/deploy-mkdocs-versioned-poetry.yml @@ -24,6 +24,7 @@ on: jobs: publish-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -49,6 +50,8 @@ jobs: runs-on: ubuntu-latest needs: publish-determination if: needs.publish-determination.outputs.result == 'true' + permissions: + contents: write steps: - name: Checkout repository diff --git a/workflow-templates/publish-go-nightly-task.yml b/workflow-templates/publish-go-nightly-task.yml index 62e55ff8..de750146 100644 --- a/workflow-templates/publish-go-nightly-task.yml +++ b/workflow-templates/publish-go-nightly-task.yml @@ -21,6 +21,8 @@ on: jobs: create-nightly-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -66,6 +68,9 @@ jobs: checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }} checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }} + permissions: + contents: read + env: GON_CONFIG_PATH: gon.config.hcl @@ -167,6 +172,7 @@ jobs: publish-nightly: runs-on: ubuntu-latest needs: notarize-macos + permissions: {} steps: - name: Download artifact @@ -195,6 +201,7 @@ jobs: runs-on: ubuntu-latest needs: publish-nightly if: failure() # Run if publish-nightly or any of its job dependencies failed + permissions: {} steps: - name: Report failure diff --git a/workflow-templates/publish-go-tester-task.yml b/workflow-templates/publish-go-tester-task.yml index 589aadc0..1f43f210 100644 --- a/workflow-templates/publish-go-tester-task.yml +++ b/workflow-templates/publish-go-tester-task.yml @@ -34,6 +34,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -59,6 +60,7 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: {} outputs: prefix: ${{ steps.calculation.outputs.prefix }} steps: @@ -77,6 +79,8 @@ jobs: needs: package-name-prefix name: Build ${{ matrix.os.name }} runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -137,6 +141,8 @@ jobs: - build - package-name-prefix runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Download build artifacts diff --git a/workflow-templates/release-go-crosscompile-task.yml b/workflow-templates/release-go-crosscompile-task.yml index 4449c8c2..8a637790 100644 --- a/workflow-templates/release-go-crosscompile-task.yml +++ b/workflow-templates/release-go-crosscompile-task.yml @@ -20,6 +20,8 @@ on: jobs: create-release-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -75,6 +77,8 @@ jobs: name: Notarize ${{ matrix.artifact.name }} runs-on: macos-latest needs: create-release-artifacts + permissions: + contents: read env: GON_CONFIG_PATH: gon.config.hcl @@ -177,6 +181,8 @@ jobs: create-release: runs-on: ubuntu-latest needs: notarize-macos + permissions: + contents: write steps: - name: Download artifact diff --git a/workflow-templates/release-go-task.yml b/workflow-templates/release-go-task.yml index a35245c7..98205973 100644 --- a/workflow-templates/release-go-task.yml +++ b/workflow-templates/release-go-task.yml @@ -18,6 +18,8 @@ on: jobs: create-release-artifacts: runs-on: ubuntu-latest + permissions: + contents: read strategy: matrix: @@ -71,6 +73,8 @@ jobs: outputs: checksum-darwin_amd64: ${{ steps.re-package.outputs.checksum-darwin_amd64 }} checksum-darwin_arm64: ${{ steps.re-package.outputs.checksum-darwin_arm64 }} + permissions: + contents: read env: GON_CONFIG_PATH: gon.config.hcl @@ -173,6 +177,8 @@ jobs: create-release: runs-on: ubuntu-latest needs: notarize-macos + permissions: + contents: write steps: - name: Download artifact diff --git a/workflow-templates/release-tag.yml b/workflow-templates/release-tag.yml index f0573d1d..3d466e08 100644 --- a/workflow-templates/release-tag.yml +++ b/workflow-templates/release-tag.yml @@ -9,6 +9,8 @@ on: jobs: release: runs-on: ubuntu-latest + permissions: + contents: write env: # See: https://github.com/fsaintjacques/semver-tool/releases diff --git a/workflow-templates/spell-check-task.yml b/workflow-templates/spell-check-task.yml index c570c01a..770dd1fa 100644 --- a/workflow-templates/spell-check-task.yml +++ b/workflow-templates/spell-check-task.yml @@ -19,6 +19,7 @@ on: jobs: run-determination: runs-on: ubuntu-latest + permissions: {} outputs: result: ${{ steps.determination.outputs.result }} steps: @@ -44,6 +45,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository diff --git a/workflow-templates/sync-labels-npm.yml b/workflow-templates/sync-labels-npm.yml index 79cef012..4ce3b5cc 100644 --- a/workflow-templates/sync-labels-npm.yml +++ b/workflow-templates/sync-labels-npm.yml @@ -30,6 +30,8 @@ on: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -65,6 +67,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -91,6 +94,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables diff --git a/workflow-templates/sync-labels.yml b/workflow-templates/sync-labels.yml index 63c5b72a..3f94bab8 100644 --- a/workflow-templates/sync-labels.yml +++ b/workflow-templates/sync-labels.yml @@ -24,6 +24,8 @@ env: jobs: check: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository @@ -55,6 +57,7 @@ jobs: download: needs: check runs-on: ubuntu-latest + permissions: {} strategy: matrix: @@ -81,6 +84,9 @@ jobs: sync: needs: download runs-on: ubuntu-latest + permissions: + contents: read + issues: write steps: - name: Set environment variables diff --git a/workflow-templates/test-go-integration-task.yml b/workflow-templates/test-go-integration-task.yml index 988f7c28..c34247db 100644 --- a/workflow-templates/test-go-integration-task.yml +++ b/workflow-templates/test-go-integration-task.yml @@ -41,6 +41,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -63,6 +64,8 @@ jobs: test: needs: run-determination if: needs.run-determination.outputs.result == 'true' + permissions: + contents: read strategy: matrix: diff --git a/workflow-templates/test-go-task.yml b/workflow-templates/test-go-task.yml index 7194f778..36a07247 100644 --- a/workflow-templates/test-go-task.yml +++ b/workflow-templates/test-go-task.yml @@ -41,6 +41,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -64,6 +65,8 @@ jobs: name: test (${{ matrix.module.path }} - ${{ matrix.operating-system }}) needs: run-determination if: needs.run-determination.outputs.result == 'true' + permissions: + contents: read strategy: fail-fast: false diff --git a/workflow-templates/test-python-poetry-task.yml b/workflow-templates/test-python-poetry-task.yml index 96e9ee79..e4be1133 100644 --- a/workflow-templates/test-python-poetry-task.yml +++ b/workflow-templates/test-python-poetry-task.yml @@ -35,6 +35,7 @@ jobs: runs-on: ubuntu-latest outputs: result: ${{ steps.determination.outputs.result }} + permissions: {} steps: - name: Determine if the rest of the workflow should run id: determination @@ -58,6 +59,8 @@ jobs: needs: run-determination if: needs.run-determination.outputs.result == 'true' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository