From 4c603d8fc6f1cea6f344616c78bb445039a66e18 Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Thu, 30 May 2024 14:21:47 -0500 Subject: [PATCH] Update permissions changes --- .github/workflows/bump-version.yml | 5 +++++ .github/workflows/ci.yml | 3 +++ .github/workflows/codeql-analysis.yml | 7 +++++++ .github/workflows/dependencies-head.yml | 3 +++ .github/workflows/docker.yml | 6 ++++++ .github/workflows/docs.yml | 3 +++ .github/workflows/lint.yml | 3 +++ .github/workflows/lower-bound-requirements.yml | 3 +++ .github/workflows/merged.yml | 3 +++ .github/workflows/notebooks.yml | 5 ++++- .github/workflows/semantic-pr-check.yml | 6 ++++++ 11 files changed, 46 insertions(+), 1 deletion(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 3a5b1f0142..e63bf7c940 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -33,8 +33,13 @@ on: description: 'Perform a dry run to check' default: true +permissions: + contents: read + jobs: bump-version: + permissions: + contents: write # for Git to git push runs-on: ubuntu-latest if: github.repository == 'scikit-hep/pyhf' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 588d759f5e..6088875367 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,6 +15,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: test: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 7d680f58d3..507b0c7808 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -15,8 +15,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/analyze to upload SARIF results name: Analyze runs-on: ubuntu-latest diff --git a/.github/workflows/dependencies-head.yml b/.github/workflows/dependencies-head.yml index 849cf6fea4..feaf00a5ec 100644 --- a/.github/workflows/dependencies-head.yml +++ b/.github/workflows/dependencies-head.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: release-candidates: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index bd9b5527f4..e3b4616fa3 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -20,9 +20,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: docker: name: Build, test, and publish Docker images to Docker Hub + permissions: + contents: read + packages: write # for docker to push to registry runs-on: ubuntu-latest steps: diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 365aeff43b..c434195821 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -14,6 +14,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build docs diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index fdce2d7b28..5cc93cb35c 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -8,6 +8,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: lint: diff --git a/.github/workflows/lower-bound-requirements.yml b/.github/workflows/lower-bound-requirements.yml index 1c762efb64..dd1593b164 100644 --- a/.github/workflows/lower-bound-requirements.yml +++ b/.github/workflows/lower-bound-requirements.yml @@ -6,6 +6,9 @@ on: - cron: '1 0 * * *' workflow_dispatch: +permissions: + contents: read + jobs: test: diff --git a/.github/workflows/merged.yml b/.github/workflows/merged.yml index 3923caaffe..cce0e42670 100644 --- a/.github/workflows/merged.yml +++ b/.github/workflows/merged.yml @@ -5,6 +5,9 @@ on: types: [closed] workflow_dispatch: +permissions: + contents: read + jobs: binder: name: Trigger Binder build diff --git a/.github/workflows/notebooks.yml b/.github/workflows/notebooks.yml index 29d6df0605..50580dfa86 100644 --- a/.github/workflows/notebooks.yml +++ b/.github/workflows/notebooks.yml @@ -10,6 +10,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: test: @@ -41,4 +44,4 @@ jobs: # Override the ini option for filterwarnings with an empty list to disable error # on filterwarnings as testing for notebooks to run with the latest API, not if # Jupyter infrastructure is warning free. - pytest --override-ini filterwarnings= tests/test_notebooks.py + pytest --verbose --override-ini filterwarnings= tests/test_notebooks.py diff --git a/.github/workflows/semantic-pr-check.yml b/.github/workflows/semantic-pr-check.yml index 143ec8377e..f7f0d13283 100644 --- a/.github/workflows/semantic-pr-check.yml +++ b/.github/workflows/semantic-pr-check.yml @@ -11,9 +11,15 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event.number }} cancel-in-progress: true +permissions: + contents: read + jobs: main: + permissions: + pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs + statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR name: Validate PR title runs-on: ubuntu-latest