From ef9f0dec2b28978d70e1aadd1e37e1052f90c77c 2022-09-08 12:17:51 From: Matthias Bussonnier Date: 2022-09-08 12:17:51 Subject: [PATCH] SEC: force workflows to be read-only. Via tidelift and suggested by https://deps.dev/pypi/ipython --- diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index e4be71c..f18fb39 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -2,6 +2,9 @@ name: Build docs on: [push, pull_request] +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/.github/workflows/downstream.yml b/.github/workflows/downstream.yml index ae2dbe5..e6206ae 100644 --- a/.github/workflows/downstream.yml +++ b/.github/workflows/downstream.yml @@ -8,6 +8,8 @@ on: - cron: '23 1 * * 1' workflow_dispatch: +permissions: + contents: read jobs: test: diff --git a/.github/workflows/mypy.yml b/.github/workflows/mypy.yml index 2725c92..8d1927d 100644 --- a/.github/workflows/mypy.yml +++ b/.github/workflows/mypy.yml @@ -6,6 +6,9 @@ on: pull_request: branches: [ main, 7.x] +permissions: + contents: read + jobs: build: diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml index fc28ac8..62667b4 100644 --- a/.github/workflows/python-package.yml +++ b/.github/workflows/python-package.yml @@ -3,6 +3,9 @@ name: Python package +permissions: + contents: read + on: push: branches: [ main, 7.x ]