ICU-22350 Add minimal tokens to GitHub workflows

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
2025-04-06 22:15:31 +00:00 · 2023-04-12 14:38:16 +00:00 · 2023-04-12 14:38:16 +00:00 · 2e3e49fed5
commit 2e3e49fed5
parent e2fde33b4b
7 changed files with 22 additions and 3 deletions
--- a/.github/workflows/cache_retain.yml
+++ b/.github/workflows/cache_retain.yml
@ -26,6 +26,9 @@ on:
    # this cron schedule is set to run every 6 days to ensure retention
    - cron: '0 12 */6 * *'

+permissions:
+  contents: read
+
 jobs:
  retain-maven-cache:
    name: Run all tests with Maven
--- a/.github/workflows/icu_ci.yml
+++ b/.github/workflows/icu_ci.yml
@ -13,6 +13,9 @@ on:
  pull_request:
    branches: '**'

+permissions:
+  contents: read
+
 jobs:

  # ICU4C docs build using doxygen..
--- a/.github/workflows/icu_envtest.yml
+++ b/.github/workflows/icu_envtest.yml
@ -15,6 +15,9 @@ on:
    # This cron schedule is set to run 10:23 UTC every SAT
    - cron: '23 10 * * SAT'

+permissions:
+  contents: read
+
 jobs:
  #=================================================================
  # locale env tests.
--- a/.github/workflows/icu_merge_ci.yml
+++ b/.github/workflows/icu_merge_ci.yml
@ -11,6 +11,9 @@ on:
      - main	
      - 'maint/maint*'

+permissions:
+  contents: read
+
 jobs:

  # Test ICU4J with little-endian ICU4C data only
--- a/.github/workflows/icu_valgrind.yml
+++ b/.github/workflows/icu_valgrind.yml
@ -14,6 +14,9 @@ on:
  pull_request:
    branches: '**'

+permissions:
+  contents: read
+
 jobs:
  clang-valgrind-test:
    runs-on: ubuntu-20.04
--- a/.github/workflows/jekyll-gh-pages.yml
+++ b/.github/workflows/jekyll-gh-pages.yml
@ -21,11 +21,8 @@ on:
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
  contents: read
-  pages: write
-  id-token: write

 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@ -67,6 +64,9 @@ jobs:

  # Deployment job
  deploy:
+    permissions:
+      pages: write # to deploy to Pages
+      id-token: write # to verify the deployment originates from an appropriate source
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
--- a/.github/workflows/maven.yaml
+++ b/.github/workflows/maven.yaml
@ -2,6 +2,10 @@ name: Publish icu4j.jar/utilities.jar to GH Maven
 on:
  release:
    types: [created]
+
+permissions:
+  contents: read
+
 jobs:
  publish:
    runs-on: ubuntu-latest