Skip to content

Commit badc920

Browse files
kkebokkebo
committed
ci: restrict permissions
1 parent 54a9c3a commit badc920

File tree

1 file changed

+11
-0
lines changed

1 file changed

+11
-0
lines changed

.github/workflows/ci.yml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,12 @@ on:
44
branches: ["main"]
55
pull_request:
66
branches: ["main"]
7+
permissions: {}
78
jobs:
89
build-linux:
910
runs-on: ubuntu-24.04-arm
11+
permissions:
12+
contents: read
1013
steps:
1114
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
1215
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
@@ -22,26 +25,34 @@ jobs:
2225
- run: swift build -c release --triple aarch64-none-none-elf --toolset toolset.json
2326
build-macos:
2427
runs-on: macos-26
28+
permissions:
29+
contents: read
2530
steps:
2631
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
2732
- run: ./scripts/ci-install-swift.sh
2833
- run: swift --version
2934
- run: swift build -c release --triple aarch64-none-none-elf --toolset toolset.json
3035
lint:
3136
runs-on: ubuntu-24.04-arm
37+
permissions:
38+
contents: read
3239
steps:
3340
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
3441
- run: ./scripts/ci-install-swift.sh
3542
- run: swift --version
3643
- run: swift format lint -rsp .
3744
yamllint:
3845
runs-on: ubuntu-24.04-arm
46+
permissions:
47+
contents: read
3948
steps:
4049
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
4150
- run: yamllint --version
4251
- run: yamllint --strict --config-file .yamllint.yml .
4352
shellcheck:
4453
runs-on: ubuntu-24.04-arm
54+
permissions:
55+
contents: read
4556
steps:
4657
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
4758
- run: shellcheck -V

0 commit comments

Comments
 (0)