[build, test] Harden workflows' security (#5410)

Authored by: sashashura
2 years ago · c789fb7787
parent ed6bec168d
commit c789fb7787
4 changed files with 15 additions and 3 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1,8 +1,12 @@
 name: Build
 on: workflow_dispatch
+permissions:
+  contents: read

 jobs:
  prepare:
+    permissions:
+      contents: write  # for push_release
    runs-on: ubuntu-latest
    outputs:
      version_suffix: ${{ steps.version_suffix.outputs.version_suffix }}
@ -69,9 +73,6 @@ jobs:
          python pyinst.py --onedir
          (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .)
          python pyinst.py
-    - name: Get SHA2-SUMS
-      id: get_sha
-      run: |

    - name: Upload artifacts
      uses: actions/upload-artifact@v3
@ -248,6 +249,8 @@ jobs:


  publish_release:
+    permissions:
+      contents: write  # for action-gh-release
    runs-on: ubuntu-latest
    needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy]

--- a/.github/workflows/core.yml
+++ b/.github/workflows/core.yml
@ -1,5 +1,8 @@
 name: Core Tests
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
  tests:
    name: Core Tests
--- a/.github/workflows/download.yml
+++ b/.github/workflows/download.yml
@ -1,5 +1,8 @@
 name: Download Tests
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
  quick:
    name: Quick Download Tests
--- a/.github/workflows/quick-test.yml
+++ b/.github/workflows/quick-test.yml
@ -1,5 +1,8 @@
 name: Quick Test
 on: [push, pull_request]
+permissions:
+  contents: read
+
 jobs:
  tests:
    name: Core Test