Skip to content

Commit 6dca787

Browse files
eyurtseveyurtsev
authored
ci: set explicit workflow permissions (#31830)
* Set explicit workflow permissions * Should be a no-op since we're using restricted GITHUB_TOKENs by default
1 parent 46745f9 commit 6dca787

14 files changed

+42
-2
lines changed

.github/workflows/_compile_integration_test.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
type: string
1313
description: "Python version to use"
1414

15+
permissions:
16+
contents: read
17+
1518
env:
1619
UV_FROZEN: "true"
1720

.github/workflows/_integration_test.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
type: string
1313
description: "Python version to use"
1414

15+
permissions:
16+
contents: read
17+
1518
env:
1619
UV_FROZEN: "true"
1720

.github/workflows/_lint.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
type: string
1313
description: "Python version to use"
1414

15+
permissions:
16+
contents: read
17+
1518
env:
1619
WORKDIR: ${{ inputs.working-directory == '' && '.' || inputs.working-directory }}
1720

.github/workflows/_test.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,9 @@ on:
1212
type: string
1313
description: "Python version to use"
1414

15+
permissions:
16+
contents: read
17+
1518
env:
1619
UV_FROZEN: "true"
1720
UV_NO_SYNC: "true"

.github/workflows/_test_doc_imports.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
type: string
99
description: "Python version to use"
1010

11+
permissions:
12+
contents: read
13+
1114
env:
1215
UV_FROZEN: "true"
1316

.github/workflows/_test_pydantic.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ on:
1717
type: string
1818
description: "Pydantic version to test."
1919

20+
permissions:
21+
contents: read
22+
2023
env:
2124
UV_FROZEN: "true"
2225
UV_NO_SYNC: "true"

.github/workflows/check-broken-links.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@ on:
55
schedule:
66
- cron: '0 13 * * *'
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
check-links:
1013
if: github.repository_owner == 'langchain-ai' || github.event_name != 'schedule'

.github/workflows/check_core_versions.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ on:
66
- 'libs/core/pyproject.toml'
77
- 'libs/core/langchain_core/version.py'
88

9+
permissions:
10+
contents: read
11+
912
jobs:
1013
check_version_equality:
1114
runs-on: ubuntu-latest

.github/workflows/check_diffs.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,9 @@ concurrency:
1616
group: ${{ github.workflow }}-${{ github.ref }}
1717
cancel-in-progress: true
1818

19+
permissions:
20+
contents: read
21+
1922
env:
2023
UV_FROZEN: "true"
2124
UV_NO_SYNC: "true"

.github/workflows/check_new_docs.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ concurrency:
1515
group: ${{ github.workflow }}-${{ github.ref }}
1616
cancel-in-progress: true
1717

18+
permissions:
19+
contents: read
20+
1821
jobs:
1922
build:
2023
runs-on: ubuntu-latest

0 commit comments

Comments
 (0)