diff --git a/.github/workflows/PR-Demo-Comment.yml b/.github/workflows/PR-Demo-Comment.yml index 0ad568899..c9e5898b3 100644 --- a/.github/workflows/PR-Demo-Comment.yml +++ b/.github/workflows/PR-Demo-Comment.yml @@ -4,9 +4,15 @@ on: issue_comment: types: [created] +permissions: + contents: read + jobs: check-comment: runs-on: ubuntu-latest + permissions: + pull-requests: read + issues: read if: | github.event.issue.pull_request && ( diff --git a/.github/workflows/PR-Demo-cleanup.yml b/.github/workflows/PR-Demo-cleanup.yml index 6ed7bea88..57b6750fb 100644 --- a/.github/workflows/PR-Demo-cleanup.yml +++ b/.github/workflows/PR-Demo-cleanup.yml @@ -4,7 +4,8 @@ on: pull_request: types: [opened, synchronize, reopened, closed] -permissions: read-all +permissions: + contents: read env: SERVER_IP: ${{ secrets.VPS_IP }} # Add this to your GitHub secrets diff --git a/.github/workflows/auto-labeler.yml b/.github/workflows/auto-labeler.yml index 3495f7ae0..501d9863e 100644 --- a/.github/workflows/auto-labeler.yml +++ b/.github/workflows/auto-labeler.yml @@ -3,7 +3,8 @@ on: pull_request_target: types: [opened, synchronize] -permissions: read-all +permissions: + contents: read jobs: labeler: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b5a0784bb..c7e987251 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,13 +6,15 @@ on: pull_request: branches: ["main"] -permissions: read-all +permissions: + contents: read jobs: build: runs-on: ubuntu-latest permissions: + actions: read security-events: write strategy: @@ -44,7 +46,7 @@ jobs: run: ./gradlew clean build env: DOCKER_ENABLE_SECURITY: true - + docker-compose-tests: # if: github.event_name == 'push' && github.ref == 'refs/heads/main' || # (github.event_name == 'pull_request' && diff --git a/.github/workflows/licenses-update.yml b/.github/workflows/licenses-update.yml index a3fdb2853..8a7d07c34 100644 --- a/.github/workflows/licenses-update.yml +++ b/.github/workflows/licenses-update.yml @@ -7,7 +7,8 @@ on: paths: - "build.gradle" -permissions: read-all +permissions: + contents: read jobs: generate-license-report: diff --git a/.github/workflows/manage-label.yml b/.github/workflows/manage-label.yml index 05367ee8c..6f765438b 100644 --- a/.github/workflows/manage-label.yml +++ b/.github/workflows/manage-label.yml @@ -4,7 +4,8 @@ on: schedule: - cron: "30 20 * * *" -permissions: read-all +permissions: + contents: read jobs: labeler: diff --git a/.github/workflows/multiOSReleases.yml b/.github/workflows/multiOSReleases.yml index e445dc2b9..9121bf53a 100644 --- a/.github/workflows/multiOSReleases.yml +++ b/.github/workflows/multiOSReleases.yml @@ -5,7 +5,8 @@ on: release: types: [created] -permissions: read-all +permissions: + contents: read jobs: build-installers: diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml index 5c591d89b..df4e5a0f8 100644 --- a/.github/workflows/pre_commit.yml +++ b/.github/workflows/pre_commit.yml @@ -4,7 +4,8 @@ on: push: branches: [main] -permissions: read-all +permissions: + contents: read jobs: update: @@ -19,7 +20,7 @@ jobs: with: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0 with: python-version: 3.12 - name: Run Pre-Commit Hooks diff --git a/.github/workflows/push-docker.yml b/.github/workflows/push-docker.yml index dea71c096..c04cbcf13 100644 --- a/.github/workflows/push-docker.yml +++ b/.github/workflows/push-docker.yml @@ -9,14 +9,13 @@ on: permissions: contents: read - packages: write - id-token: write jobs: push: runs-on: ubuntu-latest permissions: packages: write + id-token: write steps: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 @@ -42,7 +41,7 @@ jobs: - name: Install cosign if: github.ref == 'refs/heads/master' - uses: sigstore/cosign-installer@v3.7.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 with: cosign-release: 'v2.4.1' diff --git a/.github/workflows/releaseArtifacts.yml b/.github/workflows/releaseArtifacts.yml index 21f2fb147..2a71c85e1 100644 --- a/.github/workflows/releaseArtifacts.yml +++ b/.github/workflows/releaseArtifacts.yml @@ -5,7 +5,8 @@ on: release: types: [created] -permissions: read-all +permissions: + contents: read jobs: push: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3746016ce..f8631b55b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -5,7 +5,8 @@ on: - cron: "30 0 * * *" workflow_dispatch: -permissions: read-all +permissions: + contents: read jobs: stale: diff --git a/.github/workflows/swagger.yml b/.github/workflows/swagger.yml index 502208684..6478aeb18 100644 --- a/.github/workflows/swagger.yml +++ b/.github/workflows/swagger.yml @@ -6,7 +6,8 @@ on: branches: - master -permissions: read-all +permissions: + contents: read jobs: push: diff --git a/.github/workflows/sync_files.yml b/.github/workflows/sync_files.yml index 139f86fa0..e27f1b395 100644 --- a/.github/workflows/sync_files.yml +++ b/.github/workflows/sync_files.yml @@ -9,7 +9,8 @@ on: - "src/main/resources/messages_*.properties" - "scripts/ignore_translation.toml" -permissions: read-all +permissions: + contents: read jobs: sync-readme: diff --git a/.github/workflows/update-translations.yml b/.github/workflows/update-translations.yml index 84d9c2226..8c1a82d63 100644 --- a/.github/workflows/update-translations.yml +++ b/.github/workflows/update-translations.yml @@ -6,7 +6,8 @@ on: paths: - "src/main/resources/messages_en_GB.properties" -permissions: read-all +permissions: + contents: read jobs: update-translations-main: