Skip to content

Commit dbab370

Browse files
Implement repository security checklist (#1798)
1 parent 3ba3242 commit dbab370

File tree

3 files changed

+17
-0
lines changed

3 files changed

+17
-0
lines changed

.github/workflows/ci.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
pull_request:
66
branches: ['**']
77

8+
# Set minimal permissions by default
9+
permissions:
10+
contents: read
11+
812
concurrency:
913
group: ${{ github.workflow }}-${{ github.ref }}
1014
cancel-in-progress: ${{ !contains(github.ref, 'main')}}

.github/workflows/example-apps.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ on:
88
branches: ['**']
99
paths: ['examples/**']
1010

11+
# Set minimal permissions by default
12+
permissions:
13+
contents: read
14+
1115
jobs:
1216
test-example:
1317
strategy:

.github/workflows/website.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,10 @@ on:
88
branches: ['**']
99
paths: ['website/**']
1010

11+
# Set minimal permissions by default
12+
permissions:
13+
contents: read
14+
1115
concurrency:
1216
group: ${{ github.workflow }}-${{ github.ref }}
1317
cancel-in-progress: ${{ !contains(github.ref, 'main')}}
@@ -28,8 +32,13 @@ jobs:
2832

2933
deploy:
3034
name: Deploy to GitHub Pages
35+
# Only run on push to main (trusted event) - secrets are safe here
3136
if: github.ref == 'refs/heads/main'
3237
runs-on: ubuntu-latest
38+
permissions:
39+
contents: read
40+
pages: write
41+
id-token: write
3342
steps:
3443
- name: Checkout
3544
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

0 commit comments

Comments
 (0)