From 35e8ac9009c28cd35304da0d81841b1ed9bd2c11 Mon Sep 17 00:00:00 2001 From: Joyce Date: Mon, 18 Sep 2023 09:19:13 -0300 Subject: [PATCH] Set Token Permissions on GitHub workflows (#1858) --- .github/workflows/api.yml | 3 +++ .github/workflows/benchmarks.yml | 5 +++++ .github/workflows/build.yml | 3 +++ .github/workflows/release.note.yml | 6 ++++++ .github/workflows/release.yml | 5 +++++ .github/workflows/reviewdog.yml | 15 +++++++++++++++ 6 files changed, 37 insertions(+) diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml index bff6f57ca..19c3f6d70 100644 --- a/.github/workflows/api.yml +++ b/.github/workflows/api.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 12 * * *" +permissions: + contents: read + jobs: macos: diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml index 9ed296a72..58c5b50c2 100644 --- a/.github/workflows/benchmarks.yml +++ b/.github/workflows/benchmarks.yml @@ -5,6 +5,9 @@ on: branches: - master +permissions: + contents: read + jobs: macos: if: github.repository == 'tensorflow/io' # Don't do this in forks @@ -47,6 +50,8 @@ jobs: if: github.repository == 'tensorflow/io' # Don't do this in forks name: Linux ${{ matrix.python }} + ${{ matrix.version }} runs-on: ubuntu-20.04 + permissions: + contents: write # to allow sending a commit comment for the benchmark action strategy: fail-fast: false matrix: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 60b50f221..6cf5e4699 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -8,6 +8,9 @@ on: branches: - master +permissions: + contents: read + env: REPO_NAME: ${{ github.repository }} EVENT_NAME: ${{ github.event_name }} diff --git a/.github/workflows/release.note.yml b/.github/workflows/release.note.yml index 40386b5b5..ec65c10d3 100644 --- a/.github/workflows/release.note.yml +++ b/.github/workflows/release.note.yml @@ -5,8 +5,14 @@ on: branches: - master +permissions: + contents: read + jobs: release-note: + permissions: + contents: write # for peter-evans/create-pull-request to create branch + pull-requests: write # for peter-evans/create-pull-request to create a PR name: README.md runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7127e0de..53a79ad3f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,8 +10,13 @@ on: description: "Commit (e.g., 92b44e1)" required: true +permissions: + contents: read + jobs: release: + permissions: + contents: write name: Release runs-on: ubuntu-latest steps: diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 1db0308b7..d0fe77100 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -5,8 +5,14 @@ on: branches: - master +permissions: + contents: read + jobs: bazel: + permissions: + checks: write # for reviewdog/action-suggester to report issues using checks + contents: read # for actions/checkout to fetch code name: Bazel Buildifier runs-on: ubuntu-20.04 steps: @@ -16,6 +22,9 @@ jobs: bazel run -s --verbose_failures --experimental_repo_remote_exec //tools/lint:lint -- bazel - uses: reviewdog/action-suggester@v1 black: + permissions: + checks: write # for reviewdog/action-suggester to report issues using checks + contents: read # for actions/checkout to fetch code name: Python Black runs-on: ubuntu-20.04 steps: @@ -25,6 +34,9 @@ jobs: bazel run -s --verbose_failures --experimental_repo_remote_exec //tools/lint:lint -- black - uses: reviewdog/action-suggester@v1 clang: + permissions: + checks: write # for reviewdog/action-suggester to report issues using checks + contents: read # for actions/checkout to fetch code name: Clang Format runs-on: ubuntu-20.04 steps: @@ -34,6 +46,9 @@ jobs: bazel run -s --verbose_failures --experimental_repo_remote_exec //tools/lint:lint -- clang - uses: reviewdog/action-suggester@v1 pyupgrade: + permissions: + checks: write # for reviewdog/action-suggester to report issues using checks + contents: read # for actions/checkout to fetch code name: Python Pyupgrade runs-on: ubuntu-20.04 steps: