Scorecard: Delcare default permissions as read only except CodeQL.

2025-02-14 20:31:56 +00:00 · 2023-01-10 21:55:06 +08:00 · 2023-01-10 21:55:06 +08:00 · badf33c544
commit badf33c544
parent d34085615b
4 changed files with 17 additions and 7 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -3,6 +3,9 @@ name: "CodeQL"
 # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
 on: [push, pull_request]

+# See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions: write-all
+
 jobs:
  analyze:
    name: actions-codeql-analyze
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -6,6 +6,9 @@ on:
    tags:
      - v6*

+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
  envs:
    name: envs
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@ -2,7 +2,8 @@
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.

-name: Scorecard supply-chain security
+name: Scorecard
+
 on:
  # For Branch-Protection check. Only the default branch is supported. See
  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
@ -58,12 +59,12 @@ jobs:

      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
      # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
-        with:
-          name: SARIF file
-          path: results.sarif
-          retention-days: 5
+      #- name: "Upload artifact"
+      #  uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+      #  with:
+      #    name: SARIF file
+      #    path: results.sarif
+      #    retention-days: 5

      # Upload the results to GitHub's code scanning dashboard.
      - name: "Upload to code-scanning"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -3,6 +3,9 @@ name: "Test"
 # @see https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#onpushpull_requestbranchestags
 on: [push, pull_request]

+# Declare default permissions as read only.
+permissions: read-all
+
 # The dependency graph:
 # test(6m)
 # multiple-arch-armv7(13m)