Skip to content

Commit 17e4d7c

Browse files
tacaswelltacaswell
committed
CI: Restrict default permissions
Reduces risk of arbitrary code is run by attacker.
1 parent 63580c7 commit 17e4d7c

File tree

3 files changed

+18
-4
lines changed

3 files changed

+18
-4
lines changed

.github/workflows/mplfinance_checks.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
11
name: mplfinance Checks
2+
permissions:
3+
contents: read
24
on: [ workflow_dispatch, pull_request ]
35
jobs:
46
Regression_Tests:

.github/workflows/pubPyPI.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
11
name: Upload Mplfinance to PyPI
2+
permissions:
3+
contents: read
24

35
on:
46
workflow_dispatch:
@@ -10,6 +12,10 @@ on:
1012

1113
jobs:
1214
build_and_deploy:
15+
permissions:
16+
id-token: write
17+
attestations: write
18+
contents: read
1319
runs-on: ubuntu-latest
1420
steps:
1521
- name: Checkout Repository
@@ -18,7 +24,7 @@ jobs:
1824
ref: ${{ github.event.inputs.tag }}
1925
persist-credentials: false
2026

21-
- name: Display Coded Version
27+
- name: Display Coded Version
2228
#run: git show ${{ github.sha }}:src/mplfinance/_version.py
2329
run: egrep 'version_info .*=' src/mplfinance/_version.py
2430

@@ -32,7 +38,7 @@ jobs:
3238
python -m pip install --upgrade pip
3339
pip install setuptools wheel twine
3440
35-
- name: Build
41+
- name: Build
3642
run: |
3743
python setup.py sdist bdist_wheel
3844
ls -l dist/*

.github/workflows/pubTestPyPI.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
11
name: Upload Mplfinance to TestPyPI
2+
permissions:
3+
contents: read
24

35
on:
46
workflow_dispatch:
@@ -12,13 +14,17 @@ jobs:
1214
build_and_deploy:
1315
runs-on: ubuntu-latest
1416
steps:
17+
permissions:
18+
id-token: write
19+
attestations: write
20+
contents: read
1521
- name: Checkout Repository
1622
uses: actions/checkout@v3
1723
with:
1824
ref: ${{ github.event.inputs.tag }}
1925
persist-credentials: false
2026

21-
- name: Display Coded Version
27+
- name: Display Coded Version
2228
#run: git show ${{ github.sha }}:src/mplfinance/_version.py
2329
run: egrep 'version_info .*=' src/mplfinance/_version.py
2430

@@ -32,7 +38,7 @@ jobs:
3238
python -m pip install --upgrade pip
3339
pip install setuptools wheel twine
3440
35-
- name: Build
41+
- name: Build
3642
run: |
3743
python setup.py sdist bdist_wheel
3844
ls -l dist/*

0 commit comments

Comments
 (0)