diff options
| author | Karel Zak <kzak@redhat.com> | 2022-09-30 10:46:11 +0200 |
|---|---|---|
| committer | Karel Zak <kzak@redhat.com> | 2022-09-30 10:46:11 +0200 |
| commit | 238ea44157da69eba43d7bd5ded2f710a5089760 (patch) | |
| tree | 29f91d8d5411ede1bcb68d0448468b26c7f09aa5 | |
| parent | e70e5258c05b856842ce5bd2ab2d6cb4d440162b (diff) | |
| parent | fe267f8ab0ec69d049d632444c8b6b6255342d1e (diff) | |
| download | util-linux-238ea44157da69eba43d7bd5ded2f710a5089760.tar.gz | |
Merge branch 'patch-1' of https://github.com/sashashura/util-linux
* 'patch-1' of https://github.com/sashashura/util-linux:
build: harden coverity.yml permissions
build: harden cibuild.yml permissions
build: harden cifuzz.yml permissions
| -rw-r--r-- | .github/workflows/cibuild.yml | 7 | ||||
| -rw-r--r-- | .github/workflows/cifuzz.yml | 7 | ||||
| -rw-r--r-- | .github/workflows/coverity.yml | 3 |
3 files changed, 17 insertions, 0 deletions
diff --git a/.github/workflows/cibuild.yml b/.github/workflows/cibuild.yml index 811537cc88..dc10ad4c41 100644 --- a/.github/workflows/cibuild.yml +++ b/.github/workflows/cibuild.yml @@ -14,6 +14,9 @@ on: - 'Documentation/**' - 'lib*/docs/**' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: build: runs-on: ubuntu-latest @@ -38,6 +41,10 @@ jobs: - name: Make install run: .github/workflows/cibuild.sh INSTALL coveralls: + permissions: + contents: read # to fetch code (actions/checkout) + checks: write # to create new checks (coverallsapp/github-action) + runs-on: ubuntu-latest if: github.repository == 'util-linux/util-linux' env: diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 93ebc3ceaa..e4945c06a2 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -12,8 +12,15 @@ on: - master paths: - '**' +permissions: + contents: read # to clone the repo (google/oss-fuzz/infra/cifuzz/actions/run_fuzzers) + jobs: Fuzzing: + permissions: + actions: read # to fetch the artifacts (google/oss-fuzz/infra/cifuzz/actions/run_fuzzers) + contents: read # to clone the repo (google/oss-fuzz/infra/cifuzz/actions/run_fuzzers) + runs-on: ubuntu-latest if: github.repository == 'util-linux/util-linux' strategy: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index d5cf381fc0..b86c00a5c1 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -6,6 +6,9 @@ on: # send data to Coverity daily at midnight - cron: '0 0 * * *' +permissions: + contents: read # to fetch code (actions/checkout) + jobs: build: runs-on: ubuntu-latest |