[build, test] Harden workflows' security (#5410)

author Alex <redacted>

Thu, 10 Nov 2022 01:41:07 +0000 (03:41 +0200)

committer GitHub <redacted>

Thu, 10 Nov 2022 01:41:07 +0000 (07:11 +0530)
author Alex <redacted>
Thu, 10 Nov 2022 01:41:07 +0000 (03:41 +0200)
committer GitHub <redacted>
Thu, 10 Nov 2022 01:41:07 +0000 (07:11 +0530)
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml

index 2a1b9a4aa0904601bfee8859e37c1ba3f3865f52..12e5426b14f60ccea47499ea5427839febdfcbe2 100644 (file)
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,8 +1,12 @@
  name: Build
  on: workflow_dispatch
+permissions:
+  contents: read
  
  jobs:
    prepare:
+    permissions:
+      contents: write  # for push_release
      runs-on: ubuntu-latest
      outputs:
        version_suffix: ${{ steps.version_suffix.outputs.version_suffix }}
@@ -69,9 +73,6 @@ jobs:
            python pyinst.py --onedir
            (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .)
            python pyinst.py
-    - name: Get SHA2-SUMS
-      id: get_sha
-      run: |
  
      - name: Upload artifacts
        uses: actions/upload-artifact@v3
@@ -248,6 +249,8 @@ jobs:
  
  
    publish_release:
+    permissions:
+      contents: write  # for action-gh-release
      runs-on: ubuntu-latest
      needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy]
  
diff --git a/.github/workflows/core.yml b/.github/workflows/core.yml

index d0e890b30ef1a4a03846de9dd007ce8bae756803..e12918626510da9b64ff2bcb05ca7947c0e34b8b 100644 (file)
--- a/.github/workflows/core.yml
+++ b/.github/workflows/core.yml
@@ -1,5 +1,8 @@
  name: Core Tests
  on: [push, pull_request]
+permissions:
+  contents: read
+
  jobs:
    tests:
      name: Core Tests
diff --git a/.github/workflows/download.yml b/.github/workflows/download.yml

index cc2da62fae633d6d388ecfa2fb3c4bdf7ce018a2..2b2387d4f1342529c953305e0a18301632ef7b1f 100644 (file)
--- a/.github/workflows/download.yml
+++ b/.github/workflows/download.yml
@@ -1,5 +1,8 @@
  name: Download Tests
  on: [push, pull_request]
+permissions:
+  contents: read
+
  jobs:
    quick:
      name: Quick Download Tests
diff --git a/.github/workflows/quick-test.yml b/.github/workflows/quick-test.yml

index 53b74e2c75488ce738d9eb9f67398bb70d2df155..8a0ac98bb877770ba50bfb6c900a2db5953446cf 100644 (file)
--- a/.github/workflows/quick-test.yml
+++ b/.github/workflows/quick-test.yml
@@ -1,5 +1,8 @@
  name: Quick Test
  on: [push, pull_request]
+permissions:
+  contents: read
+
  jobs:
    tests:
      name: Core Test
author	Alex <redacted>
	Thu, 10 Nov 2022 01:41:07 +0000 (03:41 +0200)
committer	GitHub <redacted>
	Thu, 10 Nov 2022 01:41:07 +0000 (07:11 +0530)
.github/workflows/build.yml		patch \| blob \| blame \| history
.github/workflows/core.yml		patch \| blob \| blame \| history
.github/workflows/download.yml		patch \| blob \| blame \| history
.github/workflows/quick-test.yml		patch \| blob \| blame \| history