gitea-mirror/sif
1
0
Fork 0
mirror of https://github.com/lunchcat/sif.git synced 2026-06-12 19:11:25 -07:00
Code Issues Packages Projects Releases Wiki Activity

ci: add explicit permissions to all workflows - fixes scorecard token-permissions

Browse Source 
Signed-off-by: vmfunc <celeste@linux.com>
This commit is contained in:
vmfunc
2026-02-13 01:40:22 +01:00
parent e94fda0acf
commit fcf9291653
13 changed files with 47 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/automatic-rebase.yml
+5
View File
@@ -2,6 +2,11 @@ name: automatic rebase
on: on:
issue_comment: issue_comment:
types: [created] types: [created]
permissions:
contents: write
pull-requests: write
jobs: jobs:
rebase: rebase:
name: Rebase name: Rebase
.github/workflows/check-large-files.yml
+3
View File
@@ -5,6 +5,9 @@ on:
push: push:
branches: [main] branches: [main]
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
.github/workflows/code_quality.yml
+2
View File
@@ -6,6 +6,8 @@ on:
branches: branches:
- main - main
permissions: {}
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
.github/workflows/go.yml
+3
View File
@@ -6,6 +6,9 @@ on:
pull_request: pull_request:
branches: ["main"] branches: ["main"]
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
.github/workflows/govulncheck.yml
+3
View File
@@ -8,6 +8,9 @@ on:
schedule: schedule:
- cron: "0 6 * * 1" # monday 06:00 UTC - cron: "0 6 * * 1" # monday 06:00 UTC
permissions:
contents: read
jobs: jobs:
govulncheck: govulncheck:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.github/workflows/header-check.yml
+3
View File
@@ -8,6 +8,9 @@ on:
paths: paths:
- '**.go' - '**.go'
permissions:
contents: read
jobs: jobs:
check-headers: check-headers:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.github/workflows/language.yml
+6
View File
@@ -12,6 +12,12 @@ on:
types: types:
- created - created
- edited - edited
permissions:
contents: read
issues: write
pull-requests: write
jobs: jobs:
echo_issue_comment: echo_issue_comment:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.github/workflows/markdown-lint.yml
+4
View File
@@ -5,6 +5,10 @@ on:
paths: paths:
- "**/*.md" - "**/*.md"
permissions:
contents: read
pull-requests: write
jobs: jobs:
markdownlint: markdownlint:
name: runner / markdownlint name: runner / markdownlint
.github/workflows/misspell.yml
+4
View File
@@ -5,6 +5,10 @@ on:
push: push:
branches: [main] branches: [main]
permissions:
contents: read
pull-requests: write
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
.github/workflows/reportcard.yml
+3
View File
@@ -7,6 +7,9 @@ on:
branches: [main] branches: [main]
workflow_call: workflow_call:
permissions:
contents: read
concurrency: concurrency:
group: ${{ github.workflow }}-${{ github.ref }} group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true cancel-in-progress: true
.github/workflows/runtest.yml
+3
View File
@@ -7,6 +7,9 @@ on:
branches: [main] branches: [main]
workflow_call: workflow_call:
permissions:
contents: read
jobs: jobs:
build-and-test: build-and-test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.github/workflows/shellcheck.yml
+4
View File
@@ -5,6 +5,10 @@ on:
paths: paths:
- "**/*.sh" - "**/*.sh"
permissions:
contents: read
pull-requests: write
jobs: jobs:
shellcheck: shellcheck:
name: runner / shellcheck name: runner / shellcheck
.github/workflows/yaml-lint.yml
+4
View File
@@ -6,6 +6,10 @@ on:
- "**/*.yml" - "**/*.yml"
- "**/*.yaml" - "**/*.yaml"
permissions:
contents: read
pull-requests: write
jobs: jobs:
yamllint: yamllint:
name: runner / yamllint name: runner / yamllint