From 733d967962cb00da87d40286cc816daa1d3aa7e6 Mon Sep 17 00:00:00 2001 From: Thomas A Caswell Date: Fri, 2 Dec 2022 16:07:58 -0500 Subject: [PATCH] Backport PR #24579: Add explicit permissions to GitHub Actions Merge pull request #24579 from QuLogic/action-permissions Add explicit permissions to GitHub Actions (cherry picked from commit 24f912845dd2765c86863945ed9a5fda82ed418b) --- .circleci/config.yml | 2 ++ .github/workflows/cibuildsdist.yml | 4 ++++ .github/workflows/cibuildwheel.yml | 4 ++++ .github/workflows/circleci.yml | 8 ++++++++ .github/workflows/clean_pr.yml | 4 ++++ .github/workflows/nightlies.yml | 3 +++ .github/workflows/pr_welcome.yml | 4 ++++ .github/workflows/reviewdog.yml | 6 ++++++ .github/workflows/tests.yml | 9 +++++++-- 9 files changed, 42 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 2b6ef7c642f4..d6da6baa1e97 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -209,4 +209,6 @@ workflows: version: 2 build: jobs: + # NOTE: If you rename this job, then you must update the `if` condition + # and `circleci-jobs` option in `.github/workflows/circleci.yml`. - docs-python38 diff --git a/.github/workflows/cibuildsdist.yml b/.github/workflows/cibuildsdist.yml index 4e1d9085f5be..a71cd642a9b7 100644 --- a/.github/workflows/cibuildsdist.yml +++ b/.github/workflows/cibuildsdist.yml @@ -1,3 +1,4 @@ +--- name: Build CI sdist and wheel on: @@ -17,6 +18,9 @@ on: - reopened - labeled +permissions: + contents: read + jobs: build_sdist: if: | diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml index 8cf83738a32c..825d72580c47 100644 --- a/.github/workflows/cibuildwheel.yml +++ b/.github/workflows/cibuildwheel.yml @@ -1,3 +1,4 @@ +--- name: Build CI wheels on: @@ -17,6 +18,9 @@ on: - reopened - labeled +permissions: + contents: read + jobs: build_wheels: if: | diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index 5c1c2c60331f..85e25f9c03ae 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -1,7 +1,11 @@ +--- on: [status] +permissions: + statuses: write jobs: circleci_artifacts_redirector_job: runs-on: ubuntu-latest + if: "${{ github.event.context == 'ci/circleci: docs-python38' }}" name: Run CircleCI artifacts redirector steps: - name: GitHub Action step @@ -11,3 +15,7 @@ jobs: artifact-path: 0/doc/build/html/index.html circleci-jobs: docs-python38 job-title: View the built docs + - name: Check the URL + if: github.event.status != 'pending' + run: | + curl --fail ${{ steps.step1.outputs.url }} | grep $GITHUB_SHA diff --git a/.github/workflows/clean_pr.yml b/.github/workflows/clean_pr.yml index f807ccf8506c..5ee1279cc7b2 100644 --- a/.github/workflows/clean_pr.yml +++ b/.github/workflows/clean_pr.yml @@ -1,6 +1,10 @@ +--- name: PR cleanliness on: [pull_request] +permissions: + contents: read + jobs: pr_clean: runs-on: ubuntu-latest diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml index 48c6e9713a8d..716d0c867aee 100644 --- a/.github/workflows/nightlies.yml +++ b/.github/workflows/nightlies.yml @@ -7,6 +7,9 @@ on: # Run on demand with workflow dispatch workflow_dispatch: +permissions: + actions: read + jobs: upload_nightly_wheels: name: Upload nightly wheels to Anaconda Cloud diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml index 1e2627c911af..cfac27eb4a88 100644 --- a/.github/workflows/pr_welcome.yml +++ b/.github/workflows/pr_welcome.yml @@ -1,7 +1,11 @@ +--- name: PR Greetings on: [pull_request_target] +permissions: + pull-requests: write + jobs: greeting: runs-on: ubuntu-latest diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 4528c39234c9..cd862f11f1d6 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -1,6 +1,12 @@ +--- name: Linting on: [pull_request] +permissions: + contents: read + checks: write + pull-requests: write + jobs: flake8: name: flake8 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 08766f006f5b..30f029ac8fff 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,3 +1,4 @@ +--- name: Tests concurrency: group: ${{ github.workflow }}-${{ github.event.number }}-${{ github.event.ref }} @@ -25,6 +26,8 @@ env: jobs: test: if: "github.event_name == 'workflow_dispatch' || github.repository == 'matplotlib/matplotlib' && !contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.head_commit.message, '[skip github]')" + permissions: + contents: read name: "Python ${{ matrix.python-version }} on ${{ matrix.os }} ${{ matrix.name-suffix }}" runs-on: ${{ matrix.os }} @@ -281,9 +284,11 @@ jobs: # Separate dependent job to only upload one issue from the matrix of jobs create-issue: - runs-on: ubuntu-latest - needs: [test] if: ${{ failure() && github.event_name == 'schedule' }} + needs: [test] + permissions: + issues: write + runs-on: ubuntu-latest name: "Create issue on failure" steps: