1
0
mirror of https://github.com/TeamNewPipe/NewPipe synced 2024-11-25 11:39:32 +01:00

Use minimum required permissions for GitHub workflows

This reduces the attack surface if the workflows are ever compromised.
This commit is contained in:
mhmdanas 2022-07-03 20:38:51 +03:00
parent 45d2492bcb
commit a1f1acfbf9
3 changed files with 21 additions and 1 deletions

View File

@ -31,6 +31,10 @@ on:
jobs:
build-and-test-jvm:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v3
- uses: gradle/wrapper-validation-action@v1
@ -64,6 +68,10 @@ jobs:
matrix:
# api-level 19 is min sdk, but throws errors related to desugaring
api-level: [ 21, 29 ]
permissions:
contents: read
steps:
- uses: actions/checkout@v3
@ -81,7 +89,7 @@ jobs:
# workaround to emulator bug: https://github.com/ReactiveCircus/android-emulator-runner/issues/160
emulator-build: 7425822
script: ./gradlew connectedCheck --stacktrace
- name: Upload test report when tests fail # because the printed out stacktrace (console) is too short, see also #7553
uses: actions/upload-artifact@v3
if: failure()
@ -91,6 +99,10 @@ jobs:
sonar:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v3
with:

View File

@ -6,6 +6,10 @@ on:
issues:
types: [opened, edited]
permissions:
issues: write
pull-requests: write
jobs:
try-minimize:
runs-on: ubuntu-latest

View File

@ -9,6 +9,10 @@ on:
# Run daily at midnight.
- cron: '0 0 * * *'
permissions:
issues: write
pull-requests: write
jobs:
noResponse:
runs-on: ubuntu-latest