From c789fb778798d682a1b2d3c74180ba8d20c23552 Mon Sep 17 00:00:00 2001 From: Alex Date: Thu, 10 Nov 2022 03:41:07 +0200 Subject: [PATCH] [build, test] Harden workflows' security (#5410) Authored by: sashashura --- .github/workflows/build.yml | 9 ++++++--- .github/workflows/core.yml | 3 +++ .github/workflows/download.yml | 3 +++ .github/workflows/quick-test.yml | 3 +++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2a1b9a4aa..12e5426b1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,8 +1,12 @@ name: Build on: workflow_dispatch +permissions: + contents: read jobs: prepare: + permissions: + contents: write # for push_release runs-on: ubuntu-latest outputs: version_suffix: ${{ steps.version_suffix.outputs.version_suffix }} @@ -69,9 +73,6 @@ jobs: python pyinst.py --onedir (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .) python pyinst.py - - name: Get SHA2-SUMS - id: get_sha - run: | - name: Upload artifacts uses: actions/upload-artifact@v3 @@ -248,6 +249,8 @@ jobs: publish_release: + permissions: + contents: write # for action-gh-release runs-on: ubuntu-latest needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy] diff --git a/.github/workflows/core.yml b/.github/workflows/core.yml index d0e890b30..e12918626 100644 --- a/.github/workflows/core.yml +++ b/.github/workflows/core.yml @@ -1,5 +1,8 @@ name: Core Tests on: [push, pull_request] +permissions: + contents: read + jobs: tests: name: Core Tests diff --git a/.github/workflows/download.yml b/.github/workflows/download.yml index cc2da62fa..2b2387d4f 100644 --- a/.github/workflows/download.yml +++ b/.github/workflows/download.yml @@ -1,5 +1,8 @@ name: Download Tests on: [push, pull_request] +permissions: + contents: read + jobs: quick: name: Quick Download Tests diff --git a/.github/workflows/quick-test.yml b/.github/workflows/quick-test.yml index 53b74e2c7..8a0ac98bb 100644 --- a/.github/workflows/quick-test.yml +++ b/.github/workflows/quick-test.yml @@ -1,5 +1,8 @@ name: Quick Test on: [push, pull_request] +permissions: + contents: read + jobs: tests: name: Core Test