From 2e3e49fed507108933c8b8ec07be2116b0722ecb Mon Sep 17 00:00:00 2001 From: Pedro Kaj Kjellerup Nacht Date: Wed, 12 Apr 2023 14:38:16 +0000 Subject: [PATCH] ICU-22350 Add minimal tokens to GitHub workflows Signed-off-by: Pedro Kaj Kjellerup Nacht --- .github/workflows/cache_retain.yml | 3 +++ .github/workflows/icu_ci.yml | 3 +++ .github/workflows/icu_envtest.yml | 3 +++ .github/workflows/icu_merge_ci.yml | 3 +++ .github/workflows/icu_valgrind.yml | 3 +++ .github/workflows/jekyll-gh-pages.yml | 6 +++--- .github/workflows/maven.yaml | 4 ++++ 7 files changed, 22 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cache_retain.yml b/.github/workflows/cache_retain.yml index d8039efdce3..ca1c483831d 100644 --- a/.github/workflows/cache_retain.yml +++ b/.github/workflows/cache_retain.yml @@ -26,6 +26,9 @@ on: # this cron schedule is set to run every 6 days to ensure retention - cron: '0 12 */6 * *' +permissions: + contents: read + jobs: retain-maven-cache: name: Run all tests with Maven diff --git a/.github/workflows/icu_ci.yml b/.github/workflows/icu_ci.yml index eb644b62452..edf1dac0082 100644 --- a/.github/workflows/icu_ci.yml +++ b/.github/workflows/icu_ci.yml @@ -13,6 +13,9 @@ on: pull_request: branches: '**' +permissions: + contents: read + jobs: # ICU4C docs build using doxygen.. diff --git a/.github/workflows/icu_envtest.yml b/.github/workflows/icu_envtest.yml index 01c2df05839..5ef85e3cb03 100644 --- a/.github/workflows/icu_envtest.yml +++ b/.github/workflows/icu_envtest.yml @@ -15,6 +15,9 @@ on: # This cron schedule is set to run 10:23 UTC every SAT - cron: '23 10 * * SAT' +permissions: + contents: read + jobs: #================================================================= # locale env tests. diff --git a/.github/workflows/icu_merge_ci.yml b/.github/workflows/icu_merge_ci.yml index cd2e139fea3..2eabb39a2a2 100644 --- a/.github/workflows/icu_merge_ci.yml +++ b/.github/workflows/icu_merge_ci.yml @@ -11,6 +11,9 @@ on: - main - 'maint/maint*' +permissions: + contents: read + jobs: # Test ICU4J with little-endian ICU4C data only diff --git a/.github/workflows/icu_valgrind.yml b/.github/workflows/icu_valgrind.yml index 68bfb755eb7..ed9536d6f12 100644 --- a/.github/workflows/icu_valgrind.yml +++ b/.github/workflows/icu_valgrind.yml @@ -14,6 +14,9 @@ on: pull_request: branches: '**' +permissions: + contents: read + jobs: clang-valgrind-test: runs-on: ubuntu-20.04 diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml index cc2b9d52d30..a10578303e4 100644 --- a/.github/workflows/jekyll-gh-pages.yml +++ b/.github/workflows/jekyll-gh-pages.yml @@ -21,11 +21,8 @@ on: # Allows you to run this workflow manually from the Actions tab workflow_dispatch: -# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages permissions: contents: read - pages: write - id-token: write # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. @@ -67,6 +64,9 @@ jobs: # Deployment job deploy: + permissions: + pages: write # to deploy to Pages + id-token: write # to verify the deployment originates from an appropriate source environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} diff --git a/.github/workflows/maven.yaml b/.github/workflows/maven.yaml index 3542484ada5..0ad8a70fb3e 100644 --- a/.github/workflows/maven.yaml +++ b/.github/workflows/maven.yaml @@ -2,6 +2,10 @@ name: Publish icu4j.jar/utilities.jar to GH Maven on: release: types: [created] + +permissions: + contents: read + jobs: publish: runs-on: ubuntu-latest