From feec9c5f1dc7869a4ec6fb09c6203f6ccff64573 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 1 Dec 2022 19:02:40 -0500 Subject: [PATCH] Add explicit permissions to GitHub Actions Also update the CircleCI check to the action's latest recommended jobs. --- .circleci/config.yml | 2 ++ .github/workflows/cibuildsdist.yml | 4 ++++ .github/workflows/cibuildwheel.yml | 4 ++++ .github/workflows/circleci.yml | 8 ++++++++ .github/workflows/clean_pr.yml | 4 ++++ .github/workflows/conflictcheck.yml | 4 ++++ .github/workflows/nightlies.yml | 3 +++ .github/workflows/pr_welcome.yml | 4 ++++ .github/workflows/reviewdog.yml | 6 ++++++ .github/workflows/tests.yml | 9 +++++++-- 10 files changed, 46 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index bd139de68890..27fa3de84243 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -229,4 +229,6 @@ workflows: version: 2 build: jobs: + # NOTE: If you rename this job, then you must update the `if` condition + # and `circleci-jobs` option in `.github/workflows/circleci.yml`. - docs-python38 diff --git a/.github/workflows/cibuildsdist.yml b/.github/workflows/cibuildsdist.yml index 47fe4029de18..d583fe1cfbcb 100644 --- a/.github/workflows/cibuildsdist.yml +++ b/.github/workflows/cibuildsdist.yml @@ -1,3 +1,4 @@ +--- name: Build CI sdist and wheel on: @@ -17,6 +18,9 @@ on: - reopened - labeled +permissions: + contents: read + jobs: build_sdist: if: | diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml index 8cf83738a32c..825d72580c47 100644 --- a/.github/workflows/cibuildwheel.yml +++ b/.github/workflows/cibuildwheel.yml @@ -1,3 +1,4 @@ +--- name: Build CI wheels on: @@ -17,6 +18,9 @@ on: - reopened - labeled +permissions: + contents: read + jobs: build_wheels: if: | diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index 5c1c2c60331f..85e25f9c03ae 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -1,7 +1,11 @@ +--- on: [status] +permissions: + statuses: write jobs: circleci_artifacts_redirector_job: runs-on: ubuntu-latest + if: "${{ github.event.context == 'ci/circleci: docs-python38' }}" name: Run CircleCI artifacts redirector steps: - name: GitHub Action step @@ -11,3 +15,7 @@ jobs: artifact-path: 0/doc/build/html/index.html circleci-jobs: docs-python38 job-title: View the built docs + - name: Check the URL + if: github.event.status != 'pending' + run: | + curl --fail ${{ steps.step1.outputs.url }} | grep $GITHUB_SHA diff --git a/.github/workflows/clean_pr.yml b/.github/workflows/clean_pr.yml index f807ccf8506c..5ee1279cc7b2 100644 --- a/.github/workflows/clean_pr.yml +++ b/.github/workflows/clean_pr.yml @@ -1,6 +1,10 @@ +--- name: PR cleanliness on: [pull_request] +permissions: + contents: read + jobs: pr_clean: runs-on: ubuntu-latest diff --git a/.github/workflows/conflictcheck.yml b/.github/workflows/conflictcheck.yml index 3593fafdedee..3bc9ea74a132 100644 --- a/.github/workflows/conflictcheck.yml +++ b/.github/workflows/conflictcheck.yml @@ -1,3 +1,4 @@ +--- name: "Maintenance" on: # So that PRs touching the same files as the push are updated @@ -8,6 +9,9 @@ on: pull_request_target: types: [synchronize] +permissions: + pull-requests: write + jobs: main: runs-on: ubuntu-latest diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml index f7f12451be3b..5b96912a011a 100644 --- a/.github/workflows/nightlies.yml +++ b/.github/workflows/nightlies.yml @@ -7,6 +7,9 @@ on: # Run on demand with workflow dispatch workflow_dispatch: +permissions: + actions: read + jobs: upload_nightly_wheels: name: Upload nightly wheels to Anaconda Cloud diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml index 1e2627c911af..cfac27eb4a88 100644 --- a/.github/workflows/pr_welcome.yml +++ b/.github/workflows/pr_welcome.yml @@ -1,7 +1,11 @@ +--- name: PR Greetings on: [pull_request_target] +permissions: + pull-requests: write + jobs: greeting: runs-on: ubuntu-latest diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 4528c39234c9..cd862f11f1d6 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -1,6 +1,12 @@ +--- name: Linting on: [pull_request] +permissions: + contents: read + checks: write + pull-requests: write + jobs: flake8: name: flake8 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b3314f08e26e..6798669c6ed6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,3 +1,4 @@ +--- name: Tests concurrency: group: ${{ github.workflow }}-${{ github.event.number }}-${{ github.event.ref }} @@ -25,6 +26,8 @@ env: jobs: test: if: "github.event_name == 'workflow_dispatch' || github.repository == 'matplotlib/matplotlib' && !contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.head_commit.message, '[skip github]')" + permissions: + contents: read name: "Python ${{ matrix.python-version }} on ${{ matrix.os }} ${{ matrix.name-suffix }}" runs-on: ${{ matrix.os }} @@ -285,9 +288,11 @@ jobs: # Separate dependent job to only upload one issue from the matrix of jobs create-issue: - runs-on: ubuntu-latest - needs: [test] if: ${{ failure() && github.event_name == 'schedule' }} + needs: [test] + permissions: + issues: write + runs-on: ubuntu-latest name: "Create issue on failure" steps: