Skip to content

Commit

Permalink
Scorecard: Delcare default permissions as read only except CodeQL.
Browse files Browse the repository at this point in the history
  • Loading branch information
winlinvip committed Jan 10, 2023
1 parent d340856 commit badf33c
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 7 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: "CodeQL"
# @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
on: [push, pull_request]

# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions: write-all

jobs:
analyze:
name: actions-codeql-analyze
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,9 @@ on:
tags:
- v6*

# Declare default permissions as read only.
permissions: read-all

jobs:
envs:
name: envs
Expand Down
15 changes: 8 additions & 7 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Scorecard supply-chain security
name: Scorecard

on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
Expand Down Expand Up @@ -58,12 +59,12 @@ jobs:

# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: SARIF file
path: results.sarif
retention-days: 5
#- name: "Upload artifact"
# uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
# with:
# name: SARIF file
# path: results.sarif
# retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: "Test"
# @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
on: [push, pull_request]

# Declare default permissions as read only.
permissions: read-all

# The dependency graph:
# test(6m)
# multiple-arch-armv7(13m)
Expand Down

0 comments on commit badf33c

Please sign in to comment.