From a1e3a48b9715b671f9f6eddfde6adfddee33086a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20Jastrze=CC=A8bski?= Date: Wed, 16 Jul 2025 18:15:53 +0200 Subject: [PATCH] secuirty measures --- .github/workflows/ci.yml | 4 ++++ .github/workflows/example-apps.yml | 4 ++++ .github/workflows/website.yml | 9 +++++++++ 3 files changed, 17 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b18ba65e..6c4d92f6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,10 @@ on: pull_request: branches: ['**'] +# Set minimal permissions by default +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ !contains(github.ref, 'main')}} diff --git a/.github/workflows/example-apps.yml b/.github/workflows/example-apps.yml index 28de40c3..460a1e3e 100644 --- a/.github/workflows/example-apps.yml +++ b/.github/workflows/example-apps.yml @@ -8,6 +8,10 @@ on: branches: ['**'] paths: ['examples/**'] +# Set minimal permissions by default +permissions: + contents: read + jobs: test-example: strategy: diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml index 6c69a957..72543818 100644 --- a/.github/workflows/website.yml +++ b/.github/workflows/website.yml @@ -8,6 +8,10 @@ on: branches: ['**'] paths: ['website/**'] +# Set minimal permissions by default +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: ${{ !contains(github.ref, 'main')}} @@ -28,8 +32,13 @@ jobs: deploy: name: Deploy to GitHub Pages + # Only run on push to main (trusted event) - secrets are safe here if: github.ref == 'refs/heads/main' runs-on: ubuntu-latest + permissions: + contents: read + pages: write + id-token: write steps: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2