]> git.kaiwu.me - nginx.git/commitdiff
GH: explicitly set permissions in workflows master
authorAndrew Clayton <a.clayton@nginx.com>
Wed, 10 Jun 2026 04:52:46 +0000 (05:52 +0100)
committerAndrew Clayton <a.clayton@nginx.com>
Tue, 30 Jun 2026 18:36:43 +0000 (19:36 +0100)
These will override the default repo/org GITHUB_TOKEN scope.

.github/workflows/buildbot.yml
.github/workflows/check-commit-message.yaml
.github/workflows/check-pr.yml
.github/workflows/check-version-bump.yaml
.github/workflows/check-whitespace.yaml

index 484b74f985f9a51c5ebcfcf7cdfe2dab7f10c1c9..490491f3622ccd66d4549ebff6bb9848cfc1a6b5 100644 (file)
@@ -6,6 +6,9 @@ on:
       - master
       - 'stable-1.*'
 
       - master
       - 'stable-1.*'
 
+permissions:
+  contents: read
+
 jobs:
   buildbot:
     uses: nginx/ci-self-hosted/.github/workflows/nginx-buildbot.yml@main
 jobs:
   buildbot:
     uses: nginx/ci-self-hosted/.github/workflows/nginx-buildbot.yml@main
index 3f0cc80411af0b13667de075fec38292d850e74a..aedf45c3443b42bdb46417c393ed8b2f70213d30 100644 (file)
@@ -7,6 +7,9 @@ on:
   pull_request:
     types: [ opened, synchronize ]
 
   pull_request:
     types: [ opened, synchronize ]
 
+permissions:
+  contents: read
+
 jobs:
   check-commit-messages:
     runs-on: ubuntu-24.04
 jobs:
   check-commit-messages:
     runs-on: ubuntu-24.04
index 92c0ea6bfe1383387f62947838f486982691c301..ccde32057c21246549bc0d74f81a82c12ca0159b 100644 (file)
@@ -3,6 +3,10 @@ name: check-pr
 on:
   pull_request:
 
 on:
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   check-pr:
     uses: nginx/ci-self-hosted/.github/workflows/nginx-check-pr.yml@main
 jobs:
   check-pr:
     uses: nginx/ci-self-hosted/.github/workflows/nginx-check-pr.yml@main
index d7e12c8e3ca674b5cc8e9578a73a6eedb2d8d73d..0f2321dda214ca1c95293ed009720dcfead6c53e 100644 (file)
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [ opened, synchronize ]
 
   pull_request:
     types: [ opened, synchronize ]
 
+permissions:
+  contents: read
+
 jobs:
   check-version-bump:
     runs-on: ubuntu-24.04
 jobs:
   check-version-bump:
     runs-on: ubuntu-24.04
index e76bd1530eea3658f4b1ffe1a859ac3fd799250c..2b127d763fc53993349412b367455986d49fc98b 100644 (file)
@@ -6,6 +6,9 @@ on:
   pull_request:
     types: [ opened, synchronize ]
 
   pull_request:
     types: [ opened, synchronize ]
 
+permissions:
+  contents: read
+
 jobs:
   check-whitespace:
     runs-on: ubuntu-24.04
 jobs:
   check-whitespace:
     runs-on: ubuntu-24.04