From feec9c5f1dc7869a4ec6fb09c6203f6ccff64573 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Thu, 1 Dec 2022 19:02:40 -0500 Subject: [PATCH] Add explicit permissions to GitHub Actions Also update the CircleCI check to the action's latest recommended jobs. --- .circleci/config.yml | 2 ++ .github/workflows/cibuildsdist.yml | 4 ++++ .github/workflows/cibuildwheel.yml | 4 ++++ .github/workflows/circleci.yml | 8 ++++++++ .github/workflows/clean_pr.yml | 4 ++++ .github/workflows/conflictcheck.yml | 4 ++++ .github/workflows/nightlies.yml | 3 +++ .github/workflows/pr_welcome.yml | 4 ++++ .github/workflows/reviewdog.yml | 6 ++++++ .github/workflows/tests.yml | 9 +++++++-- 10 files changed, 46 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index bd139de68890..27fa3de84243 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -229,4 +229,6 @@ workflows: version: 2 build: jobs: + # NOTE: If you rename this job, then you must update the `if` condition + # and `circleci-jobs` option in `.github/workflows/circleci.yml`. - docs-python38 diff --git a/.github/workflows/cibuildsdist.yml b/.github/workflows/cibuildsdist.yml index 47fe4029de18..d583fe1cfbcb 100644 --- a/.github/workflows/cibuildsdist.yml +++ b/.github/workflows/cibuildsdist.yml @@ -1,3 +1,4 @@ +--- name: Build CI sdist and wheel on: @@ -17,6 +18,9 @@ on: - reopened - labeled +permissions: + contents: read + jobs: build_sdist: if: | diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml index 8cf83738a32c..825d72580c47 100644 --- a/.github/workflows/cibuildwheel.yml +++ b/.github/workflows/cibuildwheel.yml @@ -1,3 +1,4 @@ +--- name: Build CI wheels on: @@ -17,6 +18,9 @@ on: - reopened - labeled +permissions: + contents: read + jobs: build_wheels: if: | diff --git a/.github/workflows/circleci.yml b/.github/workflows/circleci.yml index 5c1c2c60331f..85e25f9c03ae 100644 --- a/.github/workflows/circleci.yml +++ b/.github/workflows/circleci.yml @@ -1,7 +1,11 @@ +--- on: [status] +permissions: + statuses: write jobs: circleci_artifacts_redirector_job: runs-on: ubuntu-latest + if: "${{ github.event.context == 'ci/circleci: docs-python38' }}" name: Run CircleCI artifacts redirector steps: - name: GitHub Action step @@ -11,3 +15,7 @@ jobs: artifact-path: 0/doc/build/html/index.html circleci-jobs: docs-python38 job-title: View the built docs + - name: Check the URL + if: github.event.status != 'pending' + run: | + curl --fail ${{ steps.step1.outputs.url }} | grep $GITHUB_SHA diff --git a/.github/workflows/clean_pr.yml b/.github/workflows/clean_pr.yml index f807ccf8506c..5ee1279cc7b2 100644 --- a/.github/workflows/clean_pr.yml +++ b/.github/workflows/clean_pr.yml @@ -1,6 +1,10 @@ +--- name: PR cleanliness on: [pull_request] +permissions: + contents: read + jobs: pr_clean: runs-on: ubuntu-latest diff --git a/.github/workflows/conflictcheck.yml b/.github/workflows/conflictcheck.yml index 3593fafdedee..3bc9ea74a132 100644 --- a/.github/workflows/conflictcheck.yml +++ b/.github/workflows/conflictcheck.yml @@ -1,3 +1,4 @@ +--- name: "Maintenance" on: # So that PRs touching the same files as the push are updated @@ -8,6 +9,9 @@ on: pull_request_target: types: [synchronize] +permissions: + pull-requests: write + jobs: main: runs-on: ubuntu-latest diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml index f7f12451be3b..5b96912a011a 100644 --- a/.github/workflows/nightlies.yml +++ b/.github/workflows/nightlies.yml @@ -7,6 +7,9 @@ on: # Run on demand with workflow dispatch workflow_dispatch: +permissions: + actions: read + jobs: upload_nightly_wheels: name: Upload nightly wheels to Anaconda Cloud diff --git a/.github/workflows/pr_welcome.yml b/.github/workflows/pr_welcome.yml index 1e2627c911af..cfac27eb4a88 100644 --- a/.github/workflows/pr_welcome.yml +++ b/.github/workflows/pr_welcome.yml @@ -1,7 +1,11 @@ +--- name: PR Greetings on: [pull_request_target] +permissions: + pull-requests: write + jobs: greeting: runs-on: ubuntu-latest diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index 4528c39234c9..cd862f11f1d6 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -1,6 +1,12 @@ +--- name: Linting on: [pull_request] +permissions: + contents: read + checks: write + pull-requests: write + jobs: flake8: name: flake8 diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index b3314f08e26e..6798669c6ed6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,3 +1,4 @@ +--- name: Tests concurrency: group: ${{ github.workflow }}-${{ github.event.number }}-${{ github.event.ref }} @@ -25,6 +26,8 @@ env: jobs: test: if: "github.event_name == 'workflow_dispatch' || github.repository == 'matplotlib/matplotlib' && !contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.head_commit.message, '[skip github]')" + permissions: + contents: read name: "Python ${{ matrix.python-version }} on ${{ matrix.os }} ${{ matrix.name-suffix }}" runs-on: ${{ matrix.os }} @@ -285,9 +288,11 @@ jobs: # Separate dependent job to only upload one issue from the matrix of jobs create-issue: - runs-on: ubuntu-latest - needs: [test] if: ${{ failure() && github.event_name == 'schedule' }} + needs: [test] + permissions: + issues: write + runs-on: ubuntu-latest name: "Create issue on failure" steps: pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy