diff --git a/.github/workflows/latest-npm.yml b/.github/workflows/latest-npm.yml index c064f21..48fb62e 100644 --- a/.github/workflows/latest-npm.yml +++ b/.github/workflows/latest-npm.yml @@ -4,6 +4,8 @@ on: [pull_request, push] jobs: nodes: + permissions: + contents: read name: 'nvm install-latest-npm' runs-on: ubuntu-latest @@ -44,6 +46,8 @@ jobs: - run: npm --version node: + permissions: + contents: none name: 'nvm install-latest-npm' needs: [nodes] runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 4285c31..32f279d 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -4,6 +4,8 @@ on: [pull_request, push] jobs: eclint: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -14,6 +16,8 @@ jobs: - run: npm run eclint dockerfile_lint: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -24,6 +28,8 @@ jobs: - run: npm run dockerfile_lint doctoc: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -34,6 +40,8 @@ jobs: - run: npm run doctoc:check test_naming: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/rebase.yml b/.github/workflows/rebase.yml index 027aed0..e97e6a9 100644 --- a/.github/workflows/rebase.yml +++ b/.github/workflows/rebase.yml @@ -4,6 +4,8 @@ on: [pull_request_target] jobs: _: + permissions: + contents: write name: "Automatic Rebase" runs-on: ubuntu-latest diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 596a040..dfd9969 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,6 +4,8 @@ on: [pull_request, push] jobs: release: + permissions: + contents: read runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 diff --git a/.github/workflows/require-allow-edits.yml b/.github/workflows/require-allow-edits.yml index aac42d3..b92dcd5 100644 --- a/.github/workflows/require-allow-edits.yml +++ b/.github/workflows/require-allow-edits.yml @@ -4,6 +4,8 @@ on: [pull_request_target] jobs: _: + permissions: + pull-requests: read name: "Require “Allow Edits”" runs-on: ubuntu-latest diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 728b230..7b375a8 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -4,6 +4,8 @@ on: [pull_request, push] jobs: shellcheck_matrix: + permissions: + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -32,6 +34,8 @@ jobs: run: shellcheck -s ${{ matrix.shell }} ${{ matrix.file }} shellcheck: + permissions: + contents: none needs: [shellcheck_matrix] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/toc.yml b/.github/workflows/toc.yml index 55ea20f..60ed577 100644 --- a/.github/workflows/toc.yml +++ b/.github/workflows/toc.yml @@ -4,6 +4,8 @@ on: [push] jobs: _: + permissions: + contents: write name: "update readme TOC" runs-on: ubuntu-latest diff --git a/.github/workflows/windows-npm.yml b/.github/workflows/windows-npm.yml old mode 100755 new mode 100644 index 8751e5b..90c5002 --- a/.github/workflows/windows-npm.yml +++ b/.github/workflows/windows-npm.yml @@ -9,6 +9,8 @@ env: jobs: msys_fail_install: # Default installation does not work due to npm_config_prefix set to C:\npm\prefix + permissions: + contents: none name: 'MSYS fail prefix nvm install' runs-on: windows-latest steps: @@ -20,6 +22,8 @@ jobs: ! nvm install --lts msys_matrix: + permissions: + contents: none name: 'MSYS nvm install' runs-on: windows-latest strategy: @@ -43,6 +47,8 @@ jobs: nvm install ${{ matrix.npm-node-version }} cygwin_matrix: + permissions: + contents: none name: 'Cygwin nvm install' runs-on: windows-latest steps: @@ -111,6 +117,8 @@ jobs: nvm install ${{ matrix.npm-node-version }} nvm_windows: + permissions: + contents: none needs: [wsl_matrix, cygwin_matrix, msys_matrix, msys_fail_install] runs-on: ubuntu-latest steps: