diff --git a/.github/workflows/android-app.yml b/.github/workflows/android-app.yml index 93532d7acc88..5eedfb158a0b 100644 --- a/.github/workflows/android-app.yml +++ b/.github/workflows/android-app.yml @@ -49,6 +49,9 @@ on: # Build if main is updated to ensure up-to-date caches are available push: branches: [main] + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/android-audit.yml b/.github/workflows/android-audit.yml index c0a0ca8f78b3..1f45285aeef2 100644 --- a/.github/workflows/android-audit.yml +++ b/.github/workflows/android-audit.yml @@ -21,6 +21,9 @@ on: description: Override container image type: string required: false + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/android-kotlin-format-check.yml b/.github/workflows/android-kotlin-format-check.yml index 4eb6d54a0142..7fce9a108fe0 100644 --- a/.github/workflows/android-kotlin-format-check.yml +++ b/.github/workflows/android-kotlin-format-check.yml @@ -9,6 +9,9 @@ on: description: Override container image type: string required: false + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/android-static-analysis.yml b/.github/workflows/android-static-analysis.yml index cc0fa5b62e34..a693740f4b49 100644 --- a/.github/workflows/android-static-analysis.yml +++ b/.github/workflows/android-static-analysis.yml @@ -13,6 +13,9 @@ on: # Github Actions enabled, so these don't go unnoticed. # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs - cron: '20 6 * * *' + +permissions: {} + jobs: mobsfscan: name: Code scanning using mobsfscan diff --git a/.github/workflows/android-xml-format-check.yml b/.github/workflows/android-xml-format-check.yml index d051cdbf894c..4c4a1db46269 100644 --- a/.github/workflows/android-xml-format-check.yml +++ b/.github/workflows/android-xml-format-check.yml @@ -6,6 +6,9 @@ on: - .github/workflows/android-xml-format-check.yml - android/**/*.xml workflow_dispatch: + +permissions: {} + jobs: prepare: name: Prepare diff --git a/.github/workflows/cargo-audit.yml b/.github/workflows/cargo-audit.yml index 3eabcdb4e05c..e3f44a3b96cb 100644 --- a/.github/workflows/cargo-audit.yml +++ b/.github/workflows/cargo-audit.yml @@ -10,11 +10,13 @@ on: # At 06:20 UTC every day. Will create an issue if a CVE is found. - cron: '20 6 * * *' workflow_dispatch: + +permissions: + issues: write + jobs: audit: runs-on: ubuntu-latest - permissions: - issues: write steps: - name: Checkout repository uses: actions/checkout@v3 diff --git a/.github/workflows/cargo-vendor.yml b/.github/workflows/cargo-vendor.yml index 64bd08328f13..14d2da77903d 100644 --- a/.github/workflows/cargo-vendor.yml +++ b/.github/workflows/cargo-vendor.yml @@ -11,6 +11,9 @@ on: - Cargo.lock - '**/Cargo.toml' workflow_dispatch: + +permissions: {} + jobs: cargo-vendor: runs-on: ubuntu-latest diff --git a/.github/workflows/clippy.yml b/.github/workflows/clippy.yml index a922f647854f..55de67775339 100644 --- a/.github/workflows/clippy.yml +++ b/.github/workflows/clippy.yml @@ -7,6 +7,9 @@ on: - clippy.toml - '**/*.rs' workflow_dispatch: + +permissions: {} + jobs: prepare-android: name: Prepare Android container diff --git a/.github/workflows/daemon.yml b/.github/workflows/daemon.yml index 723d32c48752..e8e3ee1a7a3a 100644 --- a/.github/workflows/daemon.yml +++ b/.github/workflows/daemon.yml @@ -33,6 +33,9 @@ on: description: Override container image type: string required: false + +permissions: {} + jobs: prepare-linux: runs-on: ubuntu-latest diff --git a/.github/workflows/desktop-e2e.yml b/.github/workflows/desktop-e2e.yml index 93b79401a39f..580eb0c6ebcc 100644 --- a/.github/workflows/desktop-e2e.yml +++ b/.github/workflows/desktop-e2e.yml @@ -25,6 +25,9 @@ on: default: '' required: false type: string + +permissions: {} + jobs: prepare-matrices: name: Prepare virtual machines diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 92edc31599a5..fe498ef83f6f 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -8,6 +8,8 @@ on: - mullvad-management-interface/proto/** workflow_dispatch: +permissions: {} + jobs: check-frontend: strategy: diff --git a/.github/workflows/ios-end-to-end-tests-api.yml b/.github/workflows/ios-end-to-end-tests-api.yml index b3d789ae7932..d70ca2b2ec71 100644 --- a/.github/workflows/ios-end-to-end-tests-api.yml +++ b/.github/workflows/ios-end-to-end-tests-api.yml @@ -2,12 +2,14 @@ name: iOS end-to-end API tests on: workflow_dispatch: + +permissions: + contents: read + issues: write + pull-requests: write + jobs: reuse-e2e-workflow: - permissions: - contents: read - issues: write - pull-requests: write uses: ./.github/workflows/ios-end-to-end-tests.yml with: arg_tests_json_key: "api-tests" diff --git a/.github/workflows/ios-end-to-end-tests-merge-to-main.yml b/.github/workflows/ios-end-to-end-tests-merge-to-main.yml index be91e2789c48..738cd654f3bf 100644 --- a/.github/workflows/ios-end-to-end-tests-merge-to-main.yml +++ b/.github/workflows/ios-end-to-end-tests-merge-to-main.yml @@ -10,12 +10,14 @@ on: paths: - .github/workflows/ios-end-to-end-tests*.yml - ios/** + +permissions: + contents: read + issues: write + pull-requests: write + jobs: reuse-e2e-workflow: - permissions: - contents: read - issues: write - pull-requests: write uses: ./.github/workflows/ios-end-to-end-tests.yml with: arg_tests_json_key: "pr-merge-to-main" diff --git a/.github/workflows/ios-end-to-end-tests-nightly.yml b/.github/workflows/ios-end-to-end-tests-nightly.yml index 2408b3322f28..eeb7da51f797 100644 --- a/.github/workflows/ios-end-to-end-tests-nightly.yml +++ b/.github/workflows/ios-end-to-end-tests-nightly.yml @@ -9,6 +9,9 @@ on: # Github Actions enabled, so these don't go unnoticed. # https://docs.github.com/en/actions/monitoring-and-troubleshooting-workflows/notifications-for-workflow-runs - cron: '0 0 * * *' + +permissions: {} + jobs: reuse-e2e-workflow: permissions: diff --git a/.github/workflows/ios-screenshots-creation.yml b/.github/workflows/ios-screenshots-creation.yml index d4e1e28c5634..f6f9da06b328 100644 --- a/.github/workflows/ios-screenshots-creation.yml +++ b/.github/workflows/ios-screenshots-creation.yml @@ -9,6 +9,9 @@ on: - ios/Gemfile - ios/Gemfile.lock workflow_dispatch: + +permissions: {} + jobs: test: name: Take screenshots diff --git a/.github/workflows/ios-screenshots-tests.yml b/.github/workflows/ios-screenshots-tests.yml index 2c6b7341f0dd..7be181af626e 100644 --- a/.github/workflows/ios-screenshots-tests.yml +++ b/.github/workflows/ios-screenshots-tests.yml @@ -12,6 +12,9 @@ on: - ios/**/*.swift - ios/**/*.xctestplan workflow_dispatch: + +permissions: {} + jobs: test: if: github.event.pull_request.merged || github.event_name == 'workflow_dispatch' diff --git a/.github/workflows/ios-validate-build-schemas.yml b/.github/workflows/ios-validate-build-schemas.yml index 551cea16f32b..ae0610d3445f 100644 --- a/.github/workflows/ios-validate-build-schemas.yml +++ b/.github/workflows/ios-validate-build-schemas.yml @@ -14,6 +14,9 @@ on: - ios/**/*.xctestplan - Cargo.toml workflow_dispatch: + +permissions: {} + jobs: test: if: github.event.pull_request.merged == true diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml index 078ccf2d9e89..8c0468641f2e 100644 --- a/.github/workflows/ios.yml +++ b/.github/workflows/ios.yml @@ -9,6 +9,9 @@ on: - ios/**/*.swift - ios/**/*.xctestplan workflow_dispatch: + +permissions: {} + jobs: check-formatting: name: Check formatting diff --git a/.github/workflows/proto-format-check.yml b/.github/workflows/proto-format-check.yml index e88cb3b03d67..4ca95e744f4b 100644 --- a/.github/workflows/proto-format-check.yml +++ b/.github/workflows/proto-format-check.yml @@ -5,6 +5,9 @@ on: paths: - '**/*.proto' workflow_dispatch: + +permissions: {} + jobs: check-formatting: runs-on: ubuntu-latest diff --git a/.github/workflows/rust-supply-chain.yml b/.github/workflows/rust-supply-chain.yml index 13c34a9842a1..51cd512cef61 100644 --- a/.github/workflows/rust-supply-chain.yml +++ b/.github/workflows/rust-supply-chain.yml @@ -9,6 +9,9 @@ on: - Cargo.lock - '**/*.rs' workflow_dispatch: + +permissions: {} + jobs: check-supply-chain: runs-on: ubuntu-latest diff --git a/.github/workflows/rust-unused-dependencies.yml b/.github/workflows/rust-unused-dependencies.yml index 414659bcb18a..3122ce5d03c9 100644 --- a/.github/workflows/rust-unused-dependencies.yml +++ b/.github/workflows/rust-unused-dependencies.yml @@ -11,6 +11,9 @@ on: env: # Pinning nightly just to avoid random breakage. It's fine to bump this at any time RUST_NIGHTLY_TOOLCHAIN: nightly-2024-06-06 + +permissions: {} + jobs: prepare-containers: runs-on: ubuntu-latest diff --git a/.github/workflows/rustfmt.yml b/.github/workflows/rustfmt.yml index 2968efdf4971..19c7b5331d30 100644 --- a/.github/workflows/rustfmt.yml +++ b/.github/workflows/rustfmt.yml @@ -7,6 +7,9 @@ on: - rustfmt.toml - '**/*.rs' workflow_dispatch: + +permissions: {} + jobs: check-formatting: runs-on: ubuntu-latest diff --git a/.github/workflows/testframework-clippy.yml b/.github/workflows/testframework-clippy.yml index 8f2b8f63f7ca..af0bac1aaac0 100644 --- a/.github/workflows/testframework-clippy.yml +++ b/.github/workflows/testframework-clippy.yml @@ -8,6 +8,9 @@ on: - .github/workflows/clippy-test.yml - clippy.toml workflow_dispatch: + +permissions: {} + jobs: clippy-check-test: name: Clippy linting of test workspace diff --git a/.github/workflows/testframework-rust-supply-chain.yml b/.github/workflows/testframework-rust-supply-chain.yml index 2a7a7fa44f7e..3e09ee5ed2b6 100644 --- a/.github/workflows/testframework-rust-supply-chain.yml +++ b/.github/workflows/testframework-rust-supply-chain.yml @@ -9,6 +9,9 @@ on: - 'test/**/Cargo.lock' - 'test/**/*.rs' workflow_dispatch: + +permissions: {} + jobs: check-test-framework-supply-chain: runs-on: ubuntu-latest diff --git a/.github/workflows/testframework-rustfmt.yml b/.github/workflows/testframework-rustfmt.yml index 8889653183b9..78045fc7442d 100644 --- a/.github/workflows/testframework-rustfmt.yml +++ b/.github/workflows/testframework-rustfmt.yml @@ -8,6 +8,9 @@ on: - .github/workflows/rustfmt-test.yml - rustfmt.toml workflow_dispatch: + +permissions: {} + jobs: check-formatting-test: runs-on: ubuntu-latest diff --git a/.github/workflows/testframework.yml b/.github/workflows/testframework.yml index 9e4782cc99e5..8b8e7759d55e 100644 --- a/.github/workflows/testframework.yml +++ b/.github/workflows/testframework.yml @@ -26,6 +26,9 @@ on: - '!.yamllint' - '!**/osv-scanner.toml' workflow_dispatch: + +permissions: {} + jobs: prepare-build-test-framework-linux: runs-on: ubuntu-latest diff --git a/.github/workflows/translations-converter.yml b/.github/workflows/translations-converter.yml index 4cb65d3d4f4b..15023f973c4c 100644 --- a/.github/workflows/translations-converter.yml +++ b/.github/workflows/translations-converter.yml @@ -6,6 +6,9 @@ on: - .github/workflows/translations-converter.yml - android/translations-converter/** workflow_dispatch: + +permissions: {} + jobs: check-translations: runs-on: ubuntu-latest diff --git a/.github/workflows/translations.yml b/.github/workflows/translations.yml index 136b0a2f03f8..2aacd840ec43 100644 --- a/.github/workflows/translations.yml +++ b/.github/workflows/translations.yml @@ -10,6 +10,9 @@ on: - gui/** - '!**/osv-scanner.toml' workflow_dispatch: + +permissions: {} + jobs: check-translations: runs-on: ubuntu-latest