From a0d0bf9bc193fb20ced207cd5671235ad5dd0053 Mon Sep 17 00:00:00 2001 From: MacOS Date: Thu, 20 Mar 2025 13:24:05 +0100 Subject: [PATCH 1/4] build(continuous-integration): add top level permission to restrict GITHUB_TOKEN --- .github/workflows/continuous-integration.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 817d598..0e3232a 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -23,6 +23,10 @@ on: - '**/*.swift' +permissions: + contents: read + + jobs: swift-lint: From c6be37a282ce95e7025365078460f5977e6ed7f7 Mon Sep 17 00:00:00 2001 From: MacOS Date: Thu, 20 Mar 2025 13:24:26 +0100 Subject: [PATCH 2/4] build(reuse-compliance): add top level permission to restrict GITHUB_TOKEN --- .github/workflows/reuse-compliance.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml index 7f13dd7..34f049e 100644 --- a/.github/workflows/reuse-compliance.yml +++ b/.github/workflows/reuse-compliance.yml @@ -7,6 +7,10 @@ name: REUSE Compliance Check on: [push, pull_request] +permissions: + contents: read + + jobs: test-reuse-compliance: runs-on: ubuntu-22.04 From 52383793178f2f06ed1273c7a81a9bffe7e569a1 Mon Sep 17 00:00:00 2001 From: MacOS Date: Thu, 20 Mar 2025 13:24:49 +0100 Subject: [PATCH 3/4] build(oss-review-toolkit): add top level permission to restrict GITHUB_TOKEN --- .github/workflows/oss-review-toolkit.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/oss-review-toolkit.yml b/.github/workflows/oss-review-toolkit.yml index 472ae55..0acdc99 100644 --- a/.github/workflows/oss-review-toolkit.yml +++ b/.github/workflows/oss-review-toolkit.yml @@ -17,6 +17,10 @@ on: - cron: '30 1 1 * *' +permissions: + contents: read + + jobs: oss-review-toolkit: runs-on: ubuntu-24.04 From 5e070784332abfbde9f84412bcac4a728b73748c Mon Sep 17 00:00:00 2001 From: MacOS Date: Thu, 20 Mar 2025 13:25:11 +0100 Subject: [PATCH 4/4] build(openssf-scorecard): add new top level permission syntax to restrict GITHUB_TOKEN so to be consistent with the others --- .github/workflows/openssf-scorecard.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml index 8c4b41c..ca69eb8 100644 --- a/.github/workflows/openssf-scorecard.yml +++ b/.github/workflows/openssf-scorecard.yml @@ -22,7 +22,10 @@ on: # Weekly on Saturdays. - cron: '30 1 * * 6' -permissions: read-all + +permissions: + contents: read + jobs: analysis: