Skip to content

Commit f61d9d5

Browse files
e271828-alexbabrykovich
e271828-
and
alexbabrykovich
authored
chore: workflow cleanup (#202)
* chore: workflow cleanup - workflow token scopes: added global contents: read default and per-job overrides to grant only what’s required (mostly actions: write for caches, issues: write for PR comments, contents: write for release publishing) in .github/workflows/workflow.yml. * fix: add pull-request write permissin to make create-or-update-comment work * chore: remove actions write permission --------- Co-authored-by: Aliaksandr Babrykovich <[email protected]>
1 parent 910b6ae commit f61d9d5

File tree

1 file changed

+21
-0
lines changed

1 file changed

+21
-0
lines changed

.github/workflows/workflow.yml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ on:
1313
workflow_dispatch:
1414
repository_dispatch:
1515

16+
permissions:
17+
contents: read
18+
1619
concurrency:
1720
group: '${{ github.workflow }}-${{ github.job }}-${{ github.head_ref || github.ref_name }}'
1821
cancel-in-progress: true
@@ -24,6 +27,8 @@ env:
2427
jobs:
2528
test:
2629
name: Test SDK
30+
permissions:
31+
contents: read
2732
runs-on: macos-14
2833
steps:
2934
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -61,6 +66,8 @@ jobs:
6166
sources-lint:
6267
name: Lint Source files
6368
needs: test
69+
permissions:
70+
contents: read
6471
runs-on: macos-14
6572
steps:
6673
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -82,6 +89,8 @@ jobs:
8289
pod-lint:
8390
name: Lint Podspec
8491
needs: test
92+
permissions:
93+
contents: read
8594
runs-on: macos-14
8695
steps:
8796
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -99,6 +108,8 @@ jobs:
99108
carthage-build:
100109
name: Carthage Build
101110
needs: test
111+
permissions:
112+
contents: read
102113
runs-on: ${{ matrix.os }}
103114
continue-on-error: ${{ matrix.experimental }}
104115
strategy:
@@ -129,6 +140,8 @@ jobs:
129140
swift-package-build:
130141
name: Swift Package Build
131142
needs: test
143+
permissions:
144+
contents: read
132145
runs-on: macos-14
133146
steps:
134147
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -146,6 +159,10 @@ jobs:
146159
size-report:
147160
name: Cocoapods size report
148161
if: github.event_name == 'pull_request'
162+
permissions:
163+
pull-requests: write
164+
contents: read
165+
issues: write
149166
runs-on: macos-14
150167
steps:
151168
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -209,6 +226,8 @@ jobs:
209226
samples:
210227
name: Build Samples
211228
needs: test
229+
permissions:
230+
contents: read
212231
runs-on: ${{ matrix.os }}
213232
continue-on-error: ${{ matrix.experimental }}
214233
strategy:
@@ -246,6 +265,8 @@ jobs:
246265
- carthage-build
247266
- swift-package-build
248267
- samples
268+
permissions:
269+
contents: write
249270
runs-on: macos-14
250271
steps:
251272
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

0 commit comments

Comments
 (0)