gradle/actions
1
0
Fork 0
mirror of https://github.com/gradle/actions synced 2024-11-27 11:52:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Limit token permissions in GitHub workflows (#440)

Browse source 
See
ea7e27ed41/docs/checks.md (token-permissions)
This commit is contained in:
Daz DeBoer 2024-11-13 19:01:45 -07:00 committed by GitHub
parent af45dcfe3c
commit 07e0f1c008
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
29 changed files with 129 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/ci-codeql.yml vendored
View file

@ -16,6 +16,9 @@ on:
schedule: schedule:
- cron: '25 23 * * 2' - cron: '25 23 * * 2'
permissions:
contents: read
jobs: jobs:
analyze: analyze:
name: Analyze name: Analyze

3
.github/workflows/ci-init-script-check.yml vendored
View file

@ -14,6 +14,9 @@ on:
- 'sources/test/init-scripts/**' - 'sources/test/init-scripts/**'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
test-init-scripts: test-init-scripts:
runs-on: ubuntu-latest runs-on: ubuntu-latest

8
.github/workflows/ci-integ-test-full.yml vendored
View file

@ -6,13 +6,13 @@ on:
paths: paths:
- 'dist/**' - 'dist/**'
permissions:
contents: write
concurrency: concurrency:
group: integ-test group: integ-test
cancel-in-progress: false cancel-in-progress: false
permissions:
contents: read
jobs: jobs:
caching-integ-tests: caching-integ-tests:
uses: ./.github/workflows/suite-integ-test-caching.yml uses: ./.github/workflows/suite-integ-test-caching.yml
@ -25,6 +25,8 @@ jobs:
secrets: inherit secrets: inherit
other-integ-tests: other-integ-tests:
permissions:
contents: write
uses: ./.github/workflows/suite-integ-test-other.yml uses: ./.github/workflows/suite-integ-test-other.yml
concurrency: concurrency:
group: CI-integ-test-full group: CI-integ-test-full

8
.github/workflows/ci-integ-test.yml vendored
View file

@ -11,13 +11,13 @@ on:
paths-ignore: paths-ignore:
- 'dist/**' - 'dist/**'
permissions:
contents: write
concurrency: concurrency:
group: integ-test group: integ-test
cancel-in-progress: false cancel-in-progress: false
permissions:
contents: read
jobs: jobs:
build-distribution: build-distribution:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -36,6 +36,8 @@ jobs:
secrets: inherit secrets: inherit
other-integ-tests: other-integ-tests:
permissions:
contents: write
needs: build-distribution needs: build-distribution
uses: ./.github/workflows/suite-integ-test-other.yml uses: ./.github/workflows/suite-integ-test-other.yml
with: with:

3
.github/workflows/ci-ossf-scorecard.yml vendored
View file

@ -6,7 +6,8 @@ on:
branches: branches:
- main - main
permissions: read-all permissions:
contents: read
jobs: jobs:
analysis: analysis:

4
.github/workflows/ci-update-dist.yml vendored
View file

@ -10,10 +10,12 @@ on:
- 'dist/**' - 'dist/**'
permissions: permissions:
contents: write contents: read
jobs: jobs:
update-dist: update-dist:
permissions:
contents: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

3
.github/workflows/ci-validate-wrappers.yml vendored
View file

@ -4,6 +4,9 @@ on:
push: push:
pull_request: pull_request:
permissions:
contents: read
jobs: jobs:
validation: validation:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/demo-job-summary.yml vendored
View file

@ -3,6 +3,9 @@ name: Demo Job Summary, for Gradle builds
on: on:
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
build-distribution: build-distribution:
runs-on: ubuntu-latest runs-on: ubuntu-latest

8
.github/workflows/demo-pr-build-scan-comment.yml vendored
View file

@ -4,7 +4,7 @@ on:
types: [assigned, review_requested] types: [assigned, review_requested]
permissions: permissions:
pull-requests: write contents: read
jobs: jobs:
build-distribution: build-distribution:
@ -16,6 +16,8 @@ jobs:
uses: ./.github/actions/build-dist uses: ./.github/actions/build-dist
successful-build-with-always-comment: successful-build-with-always-comment:
permissions:
pull-requests: write
needs: build-distribution needs: build-distribution
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -34,6 +36,8 @@ jobs:
run: ./gradlew build --scan run: ./gradlew build --scan
successful-build-with-comment-on-failure: successful-build-with-comment-on-failure:
permissions:
pull-requests: write
needs: build-distribution needs: build-distribution
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -52,6 +56,8 @@ jobs:
run: ./gradlew build --scan run: ./gradlew build --scan
failing-build-with-comment-on-failure: failing-build-with-comment-on-failure:
permissions:
pull-requests: write
needs: build-distribution needs: build-distribution
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

3
.github/workflows/integ-test-build-scan-publish.yml vendored
View file

@ -17,6 +17,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: build-scan-publish-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
build-scan-publish: build-scan-publish:
strategy: strategy:

3
.github/workflows/integ-test-cache-cleanup.yml vendored
View file

@ -18,6 +18,9 @@ env:
# Requires a fresh cache entry each run # Requires a fresh cache entry each run
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: cache-cleanup-${{ inputs.cache-key-prefix }}-${{github.run_number}}
permissions:
contents: read
jobs: jobs:
cache-cleanup-full-build: cache-cleanup-full-build:
strategy: strategy:

3
.github/workflows/integ-test-caching-config.yml vendored
View file

@ -17,6 +17,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: caching-config-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
caching-config-seed-build: caching-config-seed-build:
strategy: strategy:

14
.github/workflows/integ-test-dependency-graph.yml vendored
View file

@ -13,14 +13,14 @@ on:
type: boolean type: boolean
default: false default: false
permissions:
contents: write
env: env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-graph-${{ inputs.cache-key-prefix }}
GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
permissions:
contents: read
jobs: jobs:
dependency-graph-groovy-upload: dependency-graph-groovy-upload:
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
@ -39,6 +39,8 @@ jobs:
working-directory: .github/workflow-samples/groovy-dsl working-directory: .github/workflow-samples/groovy-dsl
dependency-graph-groovy-submit: dependency-graph-groovy-submit:
permissions:
contents: write
needs: [dependency-graph-groovy-upload] needs: [dependency-graph-groovy-upload]
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
@ -55,6 +57,8 @@ jobs:
DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-upload
dependency-graph-kotlin-generate-and-submit: dependency-graph-kotlin-generate-and-submit:
permissions:
contents: write
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -71,6 +75,8 @@ jobs:
working-directory: .github/workflow-samples/kotlin-dsl working-directory: .github/workflow-samples/kotlin-dsl
dependency-graph-multiple-builds: dependency-graph-multiple-builds:
permissions:
contents: write
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -112,6 +118,8 @@ jobs:
fi fi
dependency-graph-config-cache: dependency-graph-config-cache:
permissions:
contents: write
runs-on: ubuntu-latest # Test is not compatible with Windows runs-on: ubuntu-latest # Test is not compatible with Windows
steps: steps:
- name: Checkout sources - name: Checkout sources

3
.github/workflows/integ-test-dependency-submission-failures.yml vendored
View file

@ -18,6 +18,9 @@ env:
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-failures-${{ inputs.cache-key-prefix }}
GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
permissions:
contents: read
jobs: jobs:
dependency-submission-failures-failing-build: dependency-submission-failures-failing-build:
runs-on: ubuntu-latest runs-on: ubuntu-latest

32
.github/workflows/integ-test-dependency-submission.yml vendored
View file

@ -13,16 +13,18 @@ on:
type: boolean type: boolean
default: false default: false
permissions:
contents: write
env: env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: dependency-submission-${{ inputs.cache-key-prefix }}
GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository GITHUB_DEPENDENCY_GRAPH_REF: 'refs/tags/v0.0.1' # Use a different ref to avoid updating the real dependency graph for the repository
permissions:
contents: read
jobs: jobs:
dependency-submission-groovy-generate-and-upload: dependency-submission-groovy-generate-and-upload:
permissions:
contents: write
strategy: strategy:
max-parallel: 1 max-parallel: 1
fail-fast: false fail-fast: false
@ -45,6 +47,8 @@ jobs:
GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
dependency-submission-groovy-restore-cache: dependency-submission-groovy-restore-cache:
permissions:
contents: write
needs: [dependency-submission-groovy-generate-and-upload] needs: [dependency-submission-groovy-generate-and-upload]
strategy: strategy:
max-parallel: 1 max-parallel: 1
@ -67,6 +71,8 @@ jobs:
GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission GRADLE_BUILD_ACTION_CACHE_KEY_JOB: groovy-dependency-submission
dependency-submission-groovy-download-and-submit: dependency-submission-groovy-download-and-submit:
permissions:
contents: write
needs: [dependency-submission-groovy-generate-and-upload] needs: [dependency-submission-groovy-generate-and-upload]
strategy: strategy:
max-parallel: 1 max-parallel: 1
@ -88,6 +94,8 @@ jobs:
DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }} DEPENDENCY_GRAPH_DOWNLOAD_ARTIFACT_NAME: groovy-generate-and-upload-${{ matrix.os }}
dependency-submission-kotlin-generate-and-submit: dependency-submission-kotlin-generate-and-submit:
permissions:
contents: write
strategy: strategy:
max-parallel: 1 max-parallel: 1
fail-fast: false fail-fast: false
@ -106,6 +114,8 @@ jobs:
build-root-directory: .github/workflow-samples/kotlin-dsl build-root-directory: .github/workflow-samples/kotlin-dsl
dependency-submission-multiple-builds: dependency-submission-multiple-builds:
permissions:
contents: write
strategy: strategy:
max-parallel: 1 max-parallel: 1
fail-fast: false fail-fast: false
@ -152,6 +162,8 @@ jobs:
fi fi
dependency-submission-multiple-builds-upload: dependency-submission-multiple-builds-upload:
permissions:
contents: write
strategy: strategy:
max-parallel: 1 max-parallel: 1
fail-fast: false fail-fast: false
@ -176,6 +188,8 @@ jobs:
build-root-directory: .github/workflow-samples/groovy-dsl build-root-directory: .github/workflow-samples/groovy-dsl
dependency-submission-config-cache: dependency-submission-config-cache:
permissions:
contents: write
runs-on: ubuntu-latest # Test is not compatible with Windows runs-on: ubuntu-latest # Test is not compatible with Windows
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -211,6 +225,8 @@ jobs:
fi fi
dependency-submission-gradle-versions: dependency-submission-gradle-versions:
permissions:
contents: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
@ -235,6 +251,8 @@ jobs:
build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }} build-root-directory: .github/workflow-samples/no-wrapper${{ matrix.build-root-suffix }}
dependency-submission-with-setup-gradle: dependency-submission-with-setup-gradle:
permissions:
contents: write
runs-on: ubuntu-latest # Test is not compatible with Windows runs-on: ubuntu-latest # Test is not compatible with Windows
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -270,6 +288,8 @@ jobs:
fi fi
dependency-submission-with-includes-and-excludes: dependency-submission-with-includes-and-excludes:
permissions:
contents: write
runs-on: ubuntu-latest # Test is not compatible with Windows runs-on: ubuntu-latest # Test is not compatible with Windows
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -304,6 +324,8 @@ jobs:
dependency-submission-custom-report-dir-submit: dependency-submission-custom-report-dir-submit:
permissions:
contents: write
strategy: strategy:
max-parallel: 1 max-parallel: 1
fail-fast: false fail-fast: false
@ -339,6 +361,8 @@ jobs:
fi fi
dependency-submission-custom-report-dir-upload: dependency-submission-custom-report-dir-upload:
permissions:
contents: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -355,6 +379,8 @@ jobs:
build-root-directory: .github/workflow-samples/groovy-dsl build-root-directory: .github/workflow-samples/groovy-dsl
custom-report-dir-download-and-submit: custom-report-dir-download-and-submit:
permissions:
contents: write
needs: [dependency-submission-custom-report-dir-upload] needs: [dependency-submission-custom-report-dir-upload]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

3
.github/workflows/integ-test-detect-toolchains.yml vendored
View file

@ -17,6 +17,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: detect-java-toolchain-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
# Test that pre-installed runner JDKs are detected # Test that pre-installed runner JDKs are detected
detect-toolchains-pre-installed-jdks: detect-toolchains-pre-installed-jdks:

3
.github/workflows/integ-test-inject-develocity.yml vendored
View file

@ -20,6 +20,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: inject-develocity-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
inject-develocity: inject-develocity:
env: env:

3
.github/workflows/integ-test-provision-gradle-versions.yml vendored
View file

@ -18,6 +18,9 @@ env:
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: provision-gradle-versions-${{ inputs.cache-key-prefix }}
GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true GRADLE_BUILD_ACTION_CACHE_DEBUG_ENABLED: true
permissions:
contents: read
jobs: jobs:
# Tests for executing with different Gradle versions. # Tests for executing with different Gradle versions.
# Each build verifies that it is executed with the expected Gradle version. # Each build verifies that it is executed with the expected Gradle version.

3
.github/workflows/integ-test-restore-configuration-cache.yml vendored
View file

@ -20,6 +20,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-configuration-cache-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
restore-cc-seed-build-groovy: restore-cc-seed-build-groovy:
env: env:

3
.github/workflows/integ-test-restore-containerized-gradle-home.yml vendored
View file

@ -14,6 +14,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-containerized-gradle-home-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
restore-containerized-seed-build: restore-containerized-seed-build:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/integ-test-restore-custom-gradle-home.yml vendored
View file

@ -14,6 +14,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-custom-gradle-home-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
restore-custom-gradle-home-seed-build: restore-custom-gradle-home-seed-build:
runs-on: ubuntu-latest runs-on: ubuntu-latest

3
.github/workflows/integ-test-restore-gradle-home.yml vendored
View file

@ -18,6 +18,9 @@ env:
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-gradle-home-${{ inputs.cache-key-prefix }}
GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home GRADLE_BUILD_ACTION_CACHE_KEY_JOB: restore-gradle-home
permissions:
contents: read
jobs: jobs:
restore-gradle-home-seed-build: restore-gradle-home-seed-build:
strategy: strategy:

3
.github/workflows/integ-test-restore-java-toolchain.yml vendored
View file

@ -17,6 +17,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: restore-java-toolchain-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
restore-java-toolchain-seed-build: restore-java-toolchain-seed-build:
strategy: strategy:

3
.github/workflows/integ-test-sample-gradle-plugin.yml vendored
View file

@ -17,6 +17,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-gradle-plugin-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
sample-gradle-plugin-seed-build: sample-gradle-plugin-seed-build:
strategy: strategy:

3
.github/workflows/integ-test-sample-kotlin-dsl.yml vendored
View file

@ -17,6 +17,9 @@ env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }} GRADLE_BUILD_ACTION_CACHE_KEY_PREFIX: sample-kotlin-dsl-${{ inputs.cache-key-prefix }}
permissions:
contents: read
jobs: jobs:
sample-kotlin-dsl-seed-build: sample-kotlin-dsl-seed-build:
strategy: strategy:

3
.github/workflows/integ-test-wrapper-validation.yml vendored
View file

@ -13,6 +13,9 @@ on:
env: env:
SKIP_DIST: ${{ inputs.skip-dist }} SKIP_DIST: ${{ inputs.skip-dist }}
permissions:
contents: read
jobs: jobs:
wrapper-validation-setup-gradle: wrapper-validation-setup-gradle:
strategy: strategy:

3
.github/workflows/suite-integ-test-caching.yml vendored
View file

@ -10,6 +10,9 @@ on:
type: boolean type: boolean
default: false default: false
permissions:
contents: read
jobs: jobs:
cache-cleanup: cache-cleanup:
uses: ./.github/workflows/integ-test-cache-cleanup.yml uses: ./.github/workflows/integ-test-cache-cleanup.yml

3
.github/workflows/suite-integ-test-other.yml vendored
View file

@ -10,6 +10,9 @@ on:
type: boolean type: boolean
default: false default: false
permissions:
contents: read
jobs: jobs:
build-scan-publish: build-scan-publish:
uses: ./.github/workflows/integ-test-build-scan-publish.yml uses: ./.github/workflows/integ-test-build-scan-publish.yml

6
.github/workflows/update-checksums-file.yml vendored
View file

@ -7,11 +7,13 @@ on:
workflow_dispatch: workflow_dispatch:
permissions: permissions:
contents: write contents: read
pull-requests: write
jobs: jobs:
update-checksums: update-checksums:
permissions:
contents: write
pull-requests: write
name: Update checksums name: Update checksums
runs-on: ubuntu-latest runs-on: ubuntu-latest