mirror of
https://github.com/mandiant/capa.git
synced 2026-04-28 11:53:20 -07:00
ci: use explicit and per job permissions (#3002)
* ci: use explicit and per job permissions * update CHANGELOG
This commit is contained in:
Mike Hunhoff
7
.github/workflows/build.yml
vendored
7
.github/workflows/build.yml
vendored
@@ -11,11 +11,10 @@ on:
|
|||||||
types: [edited, published]
|
types: [edited, published]
|
||||||
workflow_dispatch: # manual trigger for testing
|
workflow_dispatch: # manual trigger for testing
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
name: PyInstaller for ${{ matrix.os }} / Py ${{ matrix.python_version }}
|
name: PyInstaller for ${{ matrix.os }} / Py ${{ matrix.python_version }}
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
strategy:
|
strategy:
|
||||||
@@ -139,6 +138,8 @@ jobs:
|
|||||||
if: github.event_name == 'release'
|
if: github.event_name == 'release'
|
||||||
name: zip and upload ${{ matrix.asset_name }}
|
name: zip and upload ${{ matrix.asset_name }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
needs: [build]
|
needs: [build]
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
|
|||||||
5
.github/workflows/changelog.yml
vendored
5
.github/workflows/changelog.yml
vendored
@@ -7,11 +7,10 @@ on:
|
|||||||
pull_request_target:
|
pull_request_target:
|
||||||
types: [opened, edited, synchronize]
|
types: [opened, edited, synchronize]
|
||||||
|
|
||||||
permissions:
|
|
||||||
pull-requests: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
check_changelog:
|
check_changelog:
|
||||||
|
permissions:
|
||||||
|
pull-requests: write
|
||||||
# no need to check for dependency updates via dependabot
|
# no need to check for dependency updates via dependabot
|
||||||
# github.event.pull_request.user.login refers to PR author
|
# github.event.pull_request.user.login refers to PR author
|
||||||
if: |
|
if: |
|
||||||
|
|||||||
2
.github/workflows/pip-audit.yml
vendored
2
.github/workflows/pip-audit.yml
vendored
@@ -4,6 +4,8 @@ on:
|
|||||||
schedule:
|
schedule:
|
||||||
- cron: '0 8 * * 1'
|
- cron: '0 8 * * 1'
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
2
.github/workflows/publish.yml
vendored
2
.github/workflows/publish.yml
vendored
@@ -7,7 +7,7 @@ on:
|
|||||||
types: [published]
|
types: [published]
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
pypi-publish:
|
pypi-publish:
|
||||||
|
|||||||
5
.github/workflows/ruff-format.yml
vendored
5
.github/workflows/ruff-format.yml
vendored
@@ -9,11 +9,10 @@ on:
|
|||||||
- '**.md'
|
- '**.md'
|
||||||
workflow_dispatch: # allow manual trigger
|
workflow_dispatch: # allow manual trigger
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
ruff-format:
|
ruff-format:
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
# only run on dependabot PRs or manual trigger
|
# only run on dependabot PRs or manual trigger
|
||||||
if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
|
if: github.actor == 'dependabot[bot]' || github.event_name == 'workflow_dispatch'
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
|
|||||||
5
.github/workflows/web-deploy.yml
vendored
5
.github/workflows/web-deploy.yml
vendored
@@ -12,8 +12,6 @@ on:
|
|||||||
# Sets the GITHUB_TOKEN permissions to allow deployment to GitHub Pages
|
# Sets the GITHUB_TOKEN permissions to allow deployment to GitHub Pages
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
pages: write
|
|
||||||
id-token: write
|
|
||||||
|
|
||||||
# Allow one concurrent deployment
|
# Allow one concurrent deployment
|
||||||
concurrency:
|
concurrency:
|
||||||
@@ -105,6 +103,9 @@ jobs:
|
|||||||
|
|
||||||
deploy:
|
deploy:
|
||||||
name: Deploy site to GitHub Pages
|
name: Deploy site to GitHub Pages
|
||||||
|
permissions:
|
||||||
|
pages: write
|
||||||
|
id-token: write
|
||||||
environment:
|
environment:
|
||||||
name: github-pages
|
name: github-pages
|
||||||
url: ${{ steps.deployment.outputs.page_url }}
|
url: ${{ steps.deployment.outputs.page_url }}
|
||||||
|
|||||||
3
.github/workflows/web-release.yml
vendored
3
.github/workflows/web-release.yml
vendored
@@ -14,6 +14,9 @@ jobs:
|
|||||||
build-and-release:
|
build-and-release:
|
||||||
needs: run-tests
|
needs: run-tests
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
pull-requests: write
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
|||||||
2
.github/workflows/web-tests.yml
vendored
2
.github/workflows/web-tests.yml
vendored
@@ -7,6 +7,8 @@ on:
|
|||||||
- 'web/explorer/**'
|
- 'web/explorer/**'
|
||||||
workflow_call: # this allows the workflow to be called by other workflows
|
workflow_call: # this allows the workflow to be called by other workflows
|
||||||
|
|
||||||
|
permissions: read-all
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|||||||
@@ -17,6 +17,7 @@
|
|||||||
### capa Explorer IDA Pro plugin
|
### capa Explorer IDA Pro plugin
|
||||||
|
|
||||||
### Development
|
### Development
|
||||||
|
- ci: use explicit and per job permissions @mike-hunhoff #3002
|
||||||
- replace black/isort/flake8 with ruff @mike-hunhoff #2992
|
- replace black/isort/flake8 with ruff @mike-hunhoff #2992
|
||||||
|
|
||||||
### Raw diffs
|
### Raw diffs
|
||||||
|
|||||||
Reference in New Issue
Block a user