diff --git a/.github/workflows/ci-archlinux.yml b/.github/workflows/ci-archlinux.yml index 7dbcf63e..069ae495 100644 --- a/.github/workflows/ci-archlinux.yml +++ b/.github/workflows/ci-archlinux.yml @@ -1,7 +1,6 @@ --- name: CI-Archlinux -permissions: - contents: read +permissions: {} on: workflow_call: @@ -24,6 +23,8 @@ jobs: BUILD_VERSION: ${{ inputs.release_version }} CLONE_URL: ${{ github.event.repository.clone_url }} COMMIT: ${{ inputs.release_commit }} + permissions: + contents: read runs-on: ubuntu-latest container: image: archlinux/archlinux:base-devel diff --git a/.github/workflows/ci-bundle.yml b/.github/workflows/ci-bundle.yml index a6642de6..a7cbee67 100644 --- a/.github/workflows/ci-bundle.yml +++ b/.github/workflows/ci-bundle.yml @@ -1,7 +1,6 @@ --- name: CI-Bundle -permissions: - contents: read +permissions: {} on: workflow_call: @@ -11,6 +10,8 @@ on: jobs: bundle_analysis: + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Checkout diff --git a/.github/workflows/ci-copr.yml b/.github/workflows/ci-copr.yml index 7b143eee..98af44a8 100644 --- a/.github/workflows/ci-copr.yml +++ b/.github/workflows/ci-copr.yml @@ -1,7 +1,6 @@ --- name: CI-Copr -permissions: - contents: read +permissions: {} on: release: @@ -27,6 +26,8 @@ concurrency: jobs: call-copr-ci: + permissions: + contents: read uses: LizardByte/copr-ci/.github/workflows/copr-ci.yml@master with: copr_pr_webhook_token: "05fc9b07-a19b-4f83-89b2-ae1e7e0b5282" diff --git a/.github/workflows/ci-flatpak.yml b/.github/workflows/ci-flatpak.yml index 34555afa..63b88ce1 100644 --- a/.github/workflows/ci-flatpak.yml +++ b/.github/workflows/ci-flatpak.yml @@ -1,7 +1,6 @@ --- name: CI-Flatpak -permissions: - contents: read +permissions: {} on: workflow_call: @@ -21,6 +20,8 @@ jobs: MATRIX_ARCH: ${{ matrix.arch }} NODE_VERSION: "20" PLATFORM_VERSION: "24.08" + permissions: + contents: read runs-on: ${{ matrix.runner }} strategy: fail-fast: false diff --git a/.github/workflows/ci-freebsd.yml b/.github/workflows/ci-freebsd.yml index e46b8446..d510bf30 100644 --- a/.github/workflows/ci-freebsd.yml +++ b/.github/workflows/ci-freebsd.yml @@ -1,7 +1,6 @@ --- name: CI-FreeBSD -permissions: - contents: read +permissions: {} on: workflow_call: @@ -25,6 +24,7 @@ jobs: runs-on: ubuntu-latest outputs: matrix: ${{ steps.generate-matrix.outputs.matrix }} + permissions: {} steps: - name: Generate Matrix id: generate-matrix @@ -66,6 +66,8 @@ jobs: name: ${{ matrix.cmake_processor }}-${{ matrix.bsd_release }} runs-on: ubuntu-latest needs: setup-matrix + permissions: + contents: read strategy: fail-fast: false matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} diff --git a/.github/workflows/ci-homebrew.yml b/.github/workflows/ci-homebrew.yml index b1ad7bb6..79459231 100644 --- a/.github/workflows/ci-homebrew.yml +++ b/.github/workflows/ci-homebrew.yml @@ -1,7 +1,6 @@ --- name: CI-Homebrew -permissions: - contents: read +permissions: {} on: workflow_call: @@ -29,6 +28,8 @@ on: jobs: build_homebrew: name: ${{ matrix.os_name }}-${{ matrix.os_version }}${{ matrix.release == true && ' (Release)' || '' }} + permissions: + contents: read runs-on: ${{ matrix.os_name }}-${{ matrix.os_version }} strategy: fail-fast: false diff --git a/.github/workflows/ci-linux.yml b/.github/workflows/ci-linux.yml index 3c139bf6..147fd088 100644 --- a/.github/workflows/ci-linux.yml +++ b/.github/workflows/ci-linux.yml @@ -1,7 +1,6 @@ --- name: CI-Linux -permissions: - contents: read +permissions: {} on: workflow_call: @@ -19,6 +18,8 @@ jobs: env: APP_ID: dev.lizardbyte.app.Sunshine VERSION: ${{ inputs.release_version }} + permissions: + contents: read runs-on: ubuntu-${{ matrix.dist }} strategy: fail-fast: false diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml index a6a21ae8..4be28cf0 100644 --- a/.github/workflows/ci-windows.yml +++ b/.github/workflows/ci-windows.yml @@ -1,7 +1,6 @@ --- name: CI-Windows -permissions: - contents: read +permissions: {} on: workflow_call: @@ -20,6 +19,8 @@ jobs: defaults: run: shell: msys2 {0} + permissions: + contents: read strategy: fail-fast: false matrix: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b8425184..714b7e68 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,7 +1,6 @@ --- name: CI -permissions: - contents: read +permissions: {} on: pull_request: @@ -17,6 +16,8 @@ concurrency: jobs: github-env: name: GitHub Env Debug + permissions: + contents: read uses: LizardByte/.github/.github/workflows/__call-github-env.yml@master release-setup: @@ -65,6 +66,8 @@ jobs: build-freebsd: name: FreeBSD needs: release-setup + permissions: + contents: read uses: ./.github/workflows/ci-freebsd.yml with: release_commit: ${{ needs.release-setup.outputs.release_commit }} @@ -73,6 +76,8 @@ jobs: build-homebrew: name: Homebrew needs: release-setup + permissions: + contents: read uses: ./.github/workflows/ci-homebrew.yml with: publish_release: ${{ needs.release-setup.outputs.publish_release }} @@ -87,6 +92,8 @@ jobs: build-linux: name: Linux needs: release-setup + permissions: + contents: read uses: ./.github/workflows/ci-linux.yml with: release_commit: ${{ needs.release-setup.outputs.release_commit }} @@ -95,6 +102,8 @@ jobs: build-archlinux: name: Archlinux needs: release-setup + permissions: + contents: read uses: ./.github/workflows/ci-archlinux.yml with: release_commit: ${{ needs.release-setup.outputs.release_commit }} @@ -115,6 +124,8 @@ jobs: build-linux-flatpak: name: Linux Flatpak needs: release-setup + permissions: + contents: read uses: ./.github/workflows/ci-flatpak.yml with: release_commit: ${{ needs.release-setup.outputs.release_commit }} @@ -123,6 +134,8 @@ jobs: build-windows: name: Windows needs: release-setup + permissions: + contents: read uses: ./.github/workflows/ci-windows.yml with: release_commit: ${{ needs.release-setup.outputs.release_commit }} @@ -131,6 +144,8 @@ jobs: bundle-analysis: name: Bundle Analysis needs: release-setup + permissions: + contents: read uses: ./.github/workflows/ci-bundle.yml secrets: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} @@ -148,6 +163,8 @@ jobs: - build-linux-flatpak - build-homebrew - build-windows + permissions: + contents: read runs-on: ubuntu-latest strategy: fail-fast: false @@ -244,6 +261,8 @@ jobs: - build-linux - build-linux-flatpak - build-windows + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Download build artifacts @@ -277,6 +296,8 @@ jobs: - release-setup - build-homebrew - release + permissions: + contents: read runs-on: ubuntu-latest steps: - name: Download homebrew artifacts diff --git a/.github/workflows/localize.yml b/.github/workflows/localize.yml index 1adc725a..ae115c9b 100644 --- a/.github/workflows/localize.yml +++ b/.github/workflows/localize.yml @@ -1,7 +1,6 @@ --- name: localize -permissions: - contents: read +permissions: {} on: push: @@ -19,8 +18,9 @@ env: jobs: localize: name: Update Localization + permissions: + contents: read runs-on: ubuntu-latest - steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/release-notifier-moonlight.yml b/.github/workflows/release-notifier-moonlight.yml index 6575434c..428f0f46 100644 --- a/.github/workflows/release-notifier-moonlight.yml +++ b/.github/workflows/release-notifier-moonlight.yml @@ -11,6 +11,7 @@ jobs: discord: if: github.repository_owner == 'LizardByte' runs-on: ubuntu-latest + permissions: {} steps: - name: Check if latest GitHub release id: check-release diff --git a/.github/workflows/update-pages.yml b/.github/workflows/update-pages.yml index 2e78dd95..74b4d7e3 100644 --- a/.github/workflows/update-pages.yml +++ b/.github/workflows/update-pages.yml @@ -1,7 +1,6 @@ --- name: Build GH-Pages -permissions: - contents: read +permissions: {} on: pull_request: @@ -17,6 +16,8 @@ concurrency: jobs: prep: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -32,6 +33,8 @@ jobs: call-jekyll-build: needs: prep + permissions: + contents: read uses: LizardByte/LizardByte.github.io/.github/workflows/jekyll-build.yml@master secrets: GH_BOT_EMAIL: ${{ secrets.GH_BOT_EMAIL }}