From 11cd1080958dc17c36857f1a6d5d9e705f144440 Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 26 Sep 2022 13:46:34 +0200 Subject: [PATCH 1/3] build: harden nightly-Homebrew-build.yml permissions Signed-off-by: Alex --- .github/workflows/nightly-Homebrew-build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/nightly-Homebrew-build.yml b/.github/workflows/nightly-Homebrew-build.yml index 29ec96f73..37ffe9e83 100644 --- a/.github/workflows/nightly-Homebrew-build.yml +++ b/.github/workflows/nightly-Homebrew-build.yml @@ -17,6 +17,10 @@ on: # it only makes sense to test if this file has been changed name: Nightly-Homebrew-Build + +permissions: + contents: read # to fetch code (actions/checkout) + jobs: build-OpenBLAS-with-Homebrew: runs-on: macos-latest From 4de8e1b8f922e531e9c49d8deb35fef993d17ee4 Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 26 Sep 2022 13:47:15 +0200 Subject: [PATCH 2/3] build: harden mips64.yml permissions Signed-off-by: Alex --- .github/workflows/mips64.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/mips64.yml b/.github/workflows/mips64.yml index a5bd7b84b..de7c0c0f3 100644 --- a/.github/workflows/mips64.yml +++ b/.github/workflows/mips64.yml @@ -2,6 +2,9 @@ name: mips64 qemu test on: [push, pull_request] +permissions: + contents: read # to fetch code (actions/checkout) + jobs: TEST: runs-on: ubuntu-latest From c726604319a038a7558d638985bbb60ac4983285 Mon Sep 17 00:00:00 2001 From: Alex Date: Mon, 26 Sep 2022 13:48:11 +0200 Subject: [PATCH 3/3] build: harden dynamic_arch.yml permissions Signed-off-by: Alex --- .github/workflows/dynamic_arch.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/dynamic_arch.yml b/.github/workflows/dynamic_arch.yml index 138a853dd..49139317c 100644 --- a/.github/workflows/dynamic_arch.yml +++ b/.github/workflows/dynamic_arch.yml @@ -2,6 +2,9 @@ name: continuous build on: [push, pull_request] +permissions: + contents: read # to fetch code (actions/checkout) + jobs: build: runs-on: ${{ matrix.os }}