Make Github workflows permissions read-only by default (#3488)

* Make Github workflows permissions read-only by default * Pins `skx/github-action-publish-binaries` action to specific hash
2025-11-27 00:05:09 -05:00 · 2023-02-13 16:57:05 -08:00 · 2023-02-13 16:57:05 -08:00 · 727d03161f
commit 727d03161f
parent 886de7bc04
3 changed files with 6 additions and 3 deletions
--- a/.github/workflows/dev-long-tests.yml
+++ b/.github/workflows/dev-long-tests.yml
@ -9,6 +9,8 @@ on:
  pull_request:
    branches: [ dev, release, actionsTest ]

+permissions: read-all
+
 jobs:
  make-all:
    runs-on: ubuntu-latest
--- a/.github/workflows/dev-short-tests.yml
+++ b/.github/workflows/dev-short-tests.yml
@ -10,6 +10,8 @@ on:
  pull_request:
    branches: [ dev, release, actionsTest ]

+permissions: read-all
+
 jobs:
  linux-kernel:
    runs-on: ubuntu-latest
--- a/.github/workflows/publish-release-artifacts.yml
+++ b/.github/workflows/publish-release-artifacts.yml
@ -5,8 +5,7 @@ on:
    types:
      - published

-permissions:
-  contents: read
+permissions: read-all

 jobs:
  publish-release-artifacts:
@ -68,7 +67,7 @@ jobs:
          fi

      - name: Publish
-        uses: skx/github-action-publish-binaries@release-2.0
+        uses: skx/github-action-publish-binaries@b9ca5643b2f1d7371a6cba7f35333f1461bbc703 # tag=release-2.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with: