Remove excessive permissions in GA (#76)

dftd3 · Jan 21, 2025 · 00303f0 · 00303f0
1 parent db5fa86
commit 00303f0
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 0 deletions.
diff --git a/.github/workflows/macos-arm.yaml b/.github/workflows/macos-arm.yaml
@@ -64,6 +64,9 @@ jobs:
           - python-version: "3.11"
             torch-version: "1.13.1"
 
+    permissions:
+      contents: read
+
     runs-on: ${{ matrix.os }}
 
     defaults:

diff --git a/.github/workflows/macos-x86.yaml b/.github/workflows/macos-x86.yaml
@@ -75,6 +75,9 @@ jobs:
           - python-version: "3.11"
             torch-version: "1.13.1"
 
+    permissions:
+      contents: read
+
     runs-on: ${{ matrix.os }}
 
     defaults:

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -29,7 +29,11 @@ on:
 
 jobs:
   wheel:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -45,7 +49,11 @@ jobs:
           path: dist/*.whl
 
   sdist:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -62,10 +70,15 @@ jobs:
 
   upload_test_pypi:
     needs: [sdist, wheel]
+
     runs-on: ubuntu-latest
+
     environment: release
+
     permissions:
+      contents: read
       id-token: write
+
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Download build artifacts
@@ -81,10 +94,15 @@ jobs:
 
   upload_pypi:
     needs: [sdist, wheel, upload_test_pypi]
+
     runs-on: ubuntu-latest
+
     environment: release
+
     permissions:
+      contents: read
       id-token: write
+
     if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v')
     steps:
       - name: Download build artifacts

diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml
@@ -83,6 +83,9 @@ jobs:
 
     runs-on: ${{ matrix.os }}
 
+    permissions:
+      contents: read
+
     defaults:
       run:
         shell: bash {0}

diff --git a/.github/workflows/windows.yaml b/.github/workflows/windows.yaml
@@ -73,6 +73,9 @@ jobs:
           - python-version: "3.8"
             torch-version: "2.5.1"
 
+    permissions:
+      contents: read
+
     runs-on: ${{ matrix.os }}
 
     defaults: