Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2fb7100

Browse files
ksundenksunden
authored
Merge pull request #31238 from scottshambaugh/ci_permissions
CI: Explicitly define CI workflow permissions
2 parents a847da9 + 23420f0 commit 2fb7100

15 files changed

Lines changed: 47 additions & 12 deletions

.github/workflows/cibuildwheel.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,8 +18,7 @@ on:
1818
- reopened
1919
- labeled
2020

21-
permissions:
22-
contents: read
21+
permissions: {}
2322

2423
jobs:
2524
build_sdist:
@@ -37,6 +36,8 @@ jobs:
3736
)
3837
name: Build sdist
3938
runs-on: ubuntu-latest
39+
permissions:
40+
contents: read
4041
outputs:
4142
SDIST_NAME: ${{ steps.sdist.outputs.SDIST_NAME }}
4243

@@ -93,6 +94,8 @@ jobs:
9394
)
9495
needs: build_sdist
9596
name: Build wheels on ${{ matrix.os }} for ${{ matrix.cibw_archs }}
97+
permissions:
98+
contents: read
9699
runs-on: ${{ matrix.os }}
97100
env:
98101
CIBW_BEFORE_BUILD: >-

.github/workflows/circleci.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
---
22
name: "CircleCI artifact handling"
33
on: [status]
4+
5+
permissions: {}
6+
47
jobs:
58
circleci_artifacts_redirector_job:
69
if: "${{ github.event.context == 'ci/circleci: docs-python3' }}"

.github/workflows/clean_pr.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,13 @@
22
name: PR cleanliness
33
on: [pull_request]
44

5-
permissions:
6-
contents: read
5+
permissions: {}
76

87
jobs:
98
pr_clean:
109
runs-on: ubuntu-latest
10+
permissions:
11+
contents: read
1112

1213
steps:
1314
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/codeql-analysis.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,8 @@ on:
1010
schedule:
1111
- cron: '45 19 * * 1'
1212

13+
permissions: {}
14+
1315
jobs:
1416
analyze:
1517
if: github.repository == 'matplotlib/matplotlib'

.github/workflows/conflictcheck.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ on:
99
pull_request_target:
1010
types: [synchronize]
1111

12+
permissions: {}
13+
1214
jobs:
1315
main:
1416
if: github.repository == 'matplotlib/matplotlib'

.github/workflows/cygwin.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,7 @@ on:
3030
- cron: "47 5 * * 6"
3131
workflow_dispatch:
3232

33-
permissions:
34-
contents: read
33+
permissions: {}
3534

3635
env:
3736
NO_AT_BRIDGE: 1 # Necessary for GTK3 interactive test.
@@ -47,6 +46,8 @@ jobs:
4746

4847
test-cygwin:
4948
runs-on: windows-latest
49+
permissions:
50+
contents: read
5051
name: Python 3.${{ matrix.python-minor-version }} on Cygwin
5152
# Enable these when Cygwin has Python 3.12.
5253
if: >-

.github/workflows/good-first-issue.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@ on:
44
issues:
55
types:
66
- labeled
7+
8+
permissions: {}
9+
710
jobs:
811
add-comment:
912
if: github.event.label.name == 'Good first issue'

.github/workflows/labeler.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ name: "Pull Request Labeler"
33
on:
44
- pull_request_target
55

6+
permissions: {}
7+
68
jobs:
79
labeler:
810
permissions:

.github/workflows/linting.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,13 +2,14 @@
22
name: Linting
33
on: [pull_request]
44

5-
permissions:
6-
contents: read
5+
permissions: {}
76

87
jobs:
98
pre-commit:
109
name: precommit
1110
runs-on: ubuntu-latest
11+
permissions:
12+
contents: read
1213
steps:
1314
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1415
with:
@@ -25,6 +26,7 @@ jobs:
2526
name: ruff
2627
runs-on: ubuntu-latest
2728
permissions:
29+
contents: read
2830
checks: write
2931
steps:
3032
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -54,6 +56,7 @@ jobs:
5456
name: mypy
5557
runs-on: ubuntu-latest
5658
permissions:
59+
contents: read
5760
checks: write
5861
steps:
5962
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -85,6 +88,7 @@ jobs:
8588
name: eslint
8689
runs-on: ubuntu-latest
8790
permissions:
91+
contents: read
8892
checks: write
8993
steps:
9094
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/mypy-stubtest.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,14 +2,14 @@
22
name: Mypy Stubtest
33
on: [pull_request]
44

5-
permissions:
6-
contents: read
5+
permissions: {}
76

87
jobs:
98
mypy-stubtest:
109
name: mypy-stubtest
1110
runs-on: ubuntu-latest
1211
permissions:
12+
contents: read
1313
checks: write
1414
steps:
1515
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

0 commit comments

Comments
 (0)