diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d70f5387..7aad1289 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,7 @@ on: push: branches: [main, release-*] pull_request: +permissions: read-all env: DOTNET_NOLOGO: true DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 04098fde..cfbc4899 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,6 +20,8 @@ on: schedule: - cron: '43 4 * * 0' +permissions: read-all + jobs: analyze: name: Analyze diff --git a/.github/workflows/infer-sharp.yml b/.github/workflows/infer-sharp.yml index 40c2f476..cf2f9c0f 100644 --- a/.github/workflows/infer-sharp.yml +++ b/.github/workflows/infer-sharp.yml @@ -3,6 +3,7 @@ on: push: branches: [main, release-*] pull_request: +permissions: read-all jobs: infer-sharp: runs-on: ubuntu-latest diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index dfe6709b..f2338a92 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -3,13 +3,22 @@ on: push: branches: [main, release-*] pull_request: +permissions: read-all jobs: lint: runs-on: ubuntu-latest + permissions: + contents: read + packages: read + statuses: write steps: - uses: actions/checkout@v4.1.1 - - uses: github/super-linter@v5.0.0 + with: + fetch-depth: 0 + filter: tree:0 + - uses: super-linter/super-linter@v6.3.0 env: + DEFAULT_BRANCH: main FILTER_REGEX_EXCLUDE: \bcodeql-analysis\.yml$|\bLICENSE$|\bversions\.txt$ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_SHELL_SHFMT: false diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 567060b6..7c92c040 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,7 @@ name: release on: push: tags: ["*.*.*"] +permissions: read-all env: DOTNET_NOLOGO: true DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true diff --git a/.github/workflows/spell-check.yml b/.github/workflows/spell-check.yml index 466b6d2c..782c188d 100644 --- a/.github/workflows/spell-check.yml +++ b/.github/workflows/spell-check.yml @@ -3,6 +3,7 @@ on: push: branches: [main, release-*] pull_request: +permissions: read-all jobs: spell-check: runs-on: ubuntu-latest