.github/workflows: downscope permissions where possible

2026-01-09 21:27:20 +00:00 · 2021-09-09 17:23:03 +02:00
parent 8d88096476
commit 427edf35cc
5 changed files with 48 additions and 8 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,12 +1,14 @@
+name: Build and upload binaries
 on:
  release:
    types: [published]
  push:
  pull_request:
-name: Build binaries
+permissions:
+  contents: read
 jobs:
-  binaries:
-    name: Build and upload
+  build:
+    name: Build binaries
    runs-on: ubuntu-latest
    steps:
      - name: Install Go
@@ -47,9 +49,20 @@ jobs:
        with:
          name: age-binaries
          path: age-*
+  upload:
+    name: Upload release binaries
+    if: ${{ github.event_name == 'release' }}
+    needs: build
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download workflow artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: age-binaries
      - name: Upload release artifacts
        uses: actions/github-script@v3
-        if: ${{ github.event_name == 'release' }}
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
--- a/.github/workflows/gotip.yml
+++ b/.github/workflows/gotip.yml
@@ -1,5 +1,7 @@
 on: [push, pull_request]
 name: Go tip tests
+permissions:
+  contents: read
 jobs:
  test:
    name: Test
--- a/.github/workflows/interop.yml
+++ b/.github/workflows/interop.yml
@@ -1,5 +1,7 @@
 name: Interoperability tests
 on: push
+permissions:
+  contents: read
 jobs:
  trigger:
    name: Trigger
--- a/.github/workflows/ronn.yml
+++ b/.github/workflows/ronn.yml
@@ -1,14 +1,16 @@
+name: Generate man pages
 on:
  push:
    branches:
      - '**'
    paths:
      - '**.ronn'
-name: Generate man pages
+permissions:
+  contents: read
 jobs:
  ronn:
-    runs-on: ubuntu-latest
    name: Ronn
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
@@ -24,10 +26,29 @@ jobs:
            awk '/Filippo Valsorda/ { $0 = "<p>Filippo Valsorda <a href=\"mailto:age@filippo.io\" data-bare-link=\"true\">age@filippo.io</a></p>" } { print }' "$f" > "$f.tmp"
            mv "$f.tmp" "$f"
          done
+      - name: Upload generated files
+        uses: actions/upload-artifact@v2
+        with:
+          name: man-pages-html
+          path: doc/*.html
+  commit:
+    name: Commit changes
+    needs: ronn
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Download generated files
+        uses: actions/download-artifact@v2
+        with:
+          name: man-pages-html
+          path: doc/
      - name: Commit and push if changed
        run: |-
          git config user.name "GitHub Actions"
          git config user.email "actions@users.noreply.github.com"
-          git add -A
+          git add doc/
          git commit -m "doc: regenerate groff and html man pages" || exit 0
          git push
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -1,5 +1,7 @@
-on: [push, pull_request]
 name: Go tests
+on: [push, pull_request]
+permissions:
+  contents: read
 jobs:
  test:
    name: Test