diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index 16900f43..cc6f67d7 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -10,6 +10,7 @@ on: schedule: - cron: '0 16 * * *' workflow_dispatch: +permissions: {} jobs: test: @@ -122,6 +123,9 @@ jobs: github.event.sender.login != 'dependabot[bot]' && ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository ) runs-on: ubuntu-latest + permissions: + checks: write + pull-requests: write steps: - name: Checkout @@ -152,6 +156,10 @@ jobs: github.event.sender.login != 'dependabot[bot]' && ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository ) runs-on: ubuntu-latest + permissions: + checks: write + pull-requests: write + security-events: write steps: - name: Checkout @@ -213,6 +221,10 @@ jobs: github.event.sender.login != 'dependabot[bot]' && ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository ) runs-on: ${{ matrix.os }} + permissions: + checks: write + pull-requests: write + strategy: fail-fast: false max-parallel: 3 @@ -291,6 +303,9 @@ jobs: github.event.sender.login != 'dependabot[bot]' && ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository ) runs-on: ubuntu-latest + permissions: + checks: write + pull-requests: write steps: - name: Checkout @@ -332,6 +347,9 @@ jobs: github.event.sender.login != 'dependabot[bot]' && ( github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository ) runs-on: ubuntu-latest + permissions: + checks: write + pull-requests: write steps: - name: Checkout diff --git a/.github/workflows/unit-test-results.yml b/.github/workflows/unit-test-results.yml index 884b8efd..2bdaa858 100644 --- a/.github/workflows/unit-test-results.yml +++ b/.github/workflows/unit-test-results.yml @@ -5,20 +5,17 @@ on: workflows: ["CI/CD"] types: - completed +permissions: {} jobs: - debug: - name: Debug - runs-on: ubuntu-latest - - steps: - - name: Debug Action - uses: hmarr/debug-action@v2.0.1 - unit-test-results: name: Unit Test Results (reference) - runs-on: ubuntu-latest if: github.event.workflow_run.conclusion != 'skipped' + runs-on: ubuntu-latest + permissions: + actions: read + checks: write + pull-requests: write steps: - name: Download and Extract Artifacts diff --git a/README.md b/README.md index 6f7b393b..4d4a72b0 100644 --- a/README.md +++ b/README.md @@ -108,9 +108,9 @@ The following permissions are required in **private** GitHub repos: ```yaml permissions: - checks: write contents: read issues: read + checks: write pull-requests: write ``` @@ -266,6 +266,7 @@ are then all downloaded by your publish job. name: CI on: [push] +permissions: {} jobs: build-and-test: @@ -300,6 +301,17 @@ jobs: name: "Publish Unit Tests Results" needs: build-and-test runs-on: ubuntu-latest + permissions: + checks: write + + # only needed unless run with comment_mode: off + pull-requests: write + + # only needed for private repository + contents: read + + # only needed for private repository + issues: read if: always() steps: @@ -382,11 +394,24 @@ on: workflows: ["CI"] types: - completed +permissions: {} jobs: unit-test-results: name: Unit Test Results runs-on: ubuntu-latest + permissions: + actions: read + checks: write + + # only needed unless run with comment_mode: off + pull-requests: write + + # only needed for private repository + contents: read + + # only needed for private repository + issues: read if: github.event.workflow_run.conclusion != 'skipped' steps: