Skip to content

Commit c87ef3b

Browse files
HT154HT154
authored
Enforce default permissions at the workflow level (#17)
1 parent 7fd8759 commit c87ef3b

File tree

2 files changed

+24
-1
lines changed

2 files changed

+24
-1
lines changed

packages/pkl.impl.ghactions/PklCI.pkl

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@ import "actions/PublishUnitTestResult.pkl"
2727
///
2828
/// * [Workflow.On.pull_request]
2929
/// * [Workflow.name]
30+
/// * [Workflow.permissions]
3031
///
3132
/// This turns into a workflow called "Pull Request".
3233
prb: Workflow
@@ -36,6 +37,7 @@ prb: Workflow
3637
/// The following fields are amended with additional settings:
3738
/// * [Workflow.On.push]
3839
/// * [Workflow.name]
40+
/// * [Workflow.permissions]
3941
///
4042
/// This turns into a workflow called "Build (main)".
4143
main: Workflow
@@ -45,6 +47,7 @@ main: Workflow
4547
/// The following fields are amended with additional settings:
4648
/// * [Workflow.On.push]
4749
/// * [Workflow.name]
50+
/// * [Workflow.permissions]
4851
///
4952
/// This turns into a workflow called "Build".
5053
build: Workflow
@@ -54,6 +57,7 @@ build: Workflow
5457
/// The following fields are amended with additional settings:
5558
/// * [Workflow.On.push]
5659
/// * [Workflow.name]
60+
/// * [Workflow.permissions]
5761
///
5862
/// This turns into a workflow called "Release".
5963
release: Workflow?
@@ -63,6 +67,7 @@ release: Workflow?
6367
/// The following fields are amended with additional settings:
6468
/// * [Workflow.On.push]
6569
/// * [Workflow.name]
70+
/// * [Workflow.permissions]
6671
///
6772
/// This turns into a workflow called "Build (release branch)".
6873
releaseBranch: Workflow?
@@ -106,6 +111,9 @@ class TestReports {
106111

107112
local effectiveBuildWorkflow = (build) {
108113
name = "Build"
114+
permissions = new {
115+
contents = "read"
116+
}
109117
on {
110118
push {
111119
`branches-ignore` {
@@ -122,6 +130,9 @@ local effectiveBuildWorkflow = (build) {
122130

123131
local effectiveReleaseBranchWorkflow = (build) {
124132
name = "Build (release branch)"
133+
permissions = new {
134+
contents = "read"
135+
}
125136
on {
126137
push {
127138
branches {
@@ -137,6 +148,9 @@ local effectiveReleaseBranchWorkflow = (build) {
137148

138149
local effectiveMainWorkflow = (main) {
139150
name = "Build (main)"
151+
permissions = new {
152+
contents = "read"
153+
}
140154
on {
141155
push {
142156
branches {
@@ -158,6 +172,9 @@ local effectiveMainWorkflow = (main) {
158172
/// published here.
159173
local effectivePrbWorkflow = (prb) {
160174
name = "Pull Request"
175+
permissions = new {
176+
contents = "read"
177+
}
161178
on {
162179
pull_request {}
163180
}
@@ -166,6 +183,9 @@ local effectivePrbWorkflow = (prb) {
166183

167184
local effectiveReleaseWorkflow = (release) {
168185
name = "Release"
186+
permissions = new {
187+
contents = "read"
188+
}
169189
on {
170190
push {
171191
tags {
@@ -184,6 +204,9 @@ local effectiveReleaseWorkflow = (release) {
184204

185205
local testReportWorkflow: Workflow = new {
186206
name = "PR Test Reports"
207+
permissions = new {
208+
contents = "read"
209+
}
187210

188211
on {
189212
workflow_run {

packages/pkl.impl.ghactions/PklProject

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,7 @@
1717
amends "../basePklProject.pkl"
1818

1919
package {
20-
version = "0.3.1"
20+
version = "0.3.2"
2121
}
2222

2323
dependencies {

0 commit comments

Comments
 (0)