Set read-only permissions on GitHub workflows #779
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #778
As per the linked issue, this workflow sets read-only top-level permissions on all workflows.
It is my understanding that the jobs in
release.yml
all require write permissions (they all setgit config
, so I assume commits will be written and pushed), so those have been given at the job level. This ensures that if a new job is added in the future that doesn't require write permissions, it'll only have read access.If I misunderstood something and other workflows require additional permissions or some jobs in
release.yml
don't require write access, let me know and I'll fix the PR.