Skip to content

Commit d644963

Browse files
incertumincertum
authored
chore: restrict GitHub workflow permissions - future-proof (#1)
* chore: restrict GitHub workflow permissions - future-proof Signed-off-by: Melissa Kilby <mkilby@apple.com> * chore: restrict GitHub workflow permissions - future-proof Signed-off-by: Melissa Kilby <mkilby@apple.com> --------- Signed-off-by: Melissa Kilby <mkilby@apple.com>
1 parent fb7efd8 commit d644963

2 files changed

Lines changed: 9 additions & 7 deletions

File tree

.github/workflows/sphinx.yml

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,24 +1,20 @@
11
name: Deploy sphinx site to Pages
22

3+
permissions:
4+
contents: read
5+
36
on:
47
push:
58
branches: ["main"]
69
workflow_dispatch:
710

8-
permissions:
9-
contents: read
10-
pages: write
11-
id-token: write
12-
1311
concurrency:
1412
group: "pages"
1513
cancel-in-progress: false
1614

1715
jobs:
1816
build:
1917
runs-on: ubuntu-latest
20-
permissions:
21-
contents: write
2218
steps:
2319
- uses: actions/checkout@v4
2420
- uses: actions/setup-python@v5
@@ -36,6 +32,9 @@ jobs:
3632
path: ./docs/build/html
3733

3834
deploy:
35+
permissions:
36+
pages: write
37+
id-token: write
3938
environment:
4039
name: github-pages
4140
url: ${{ steps.deployment.outputs.page_url }}

.github/workflows/testing.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
11
name: Run tests upon pull request events
22

3+
permissions:
4+
contents: read
5+
36
on:
47
pull_request:
58
branches: ["main"]

0 commit comments

Comments
 (0)