diff --git a/.github/workflows/butterflynet.yml b/.github/workflows/butterflynet.yml index 9da7aec542d..b39f3ab7493 100644 --- a/.github/workflows/butterflynet.yml +++ b/.github/workflows/butterflynet.yml @@ -1,4 +1,6 @@ name: Butterflynet checks +permissions: + contents: read on: workflow_dispatch: env: diff --git a/.github/workflows/cargo-advisories.yml b/.github/workflows/cargo-advisories.yml index 58fc2fcf7b9..a130ac4a804 100644 --- a/.github/workflows/cargo-advisories.yml +++ b/.github/workflows/cargo-advisories.yml @@ -1,4 +1,7 @@ name: cargo deny advisories +permissions: + contents: read + issues: write on: workflow_dispatch: schedule: diff --git a/.github/workflows/cargo-publish-dry-run.yml b/.github/workflows/cargo-publish-dry-run.yml index 571ad1c0f51..d08e9f6dc77 100644 --- a/.github/workflows/cargo-publish-dry-run.yml +++ b/.github/workflows/cargo-publish-dry-run.yml @@ -1,4 +1,9 @@ name: cargo publish dry run + +permissions: + contents: read + issues: write + on: workflow_dispatch: schedule: diff --git a/.github/workflows/checkpoints.yml b/.github/workflows/checkpoints.yml index ff3b7c59109..40829ea1c46 100644 --- a/.github/workflows/checkpoints.yml +++ b/.github/workflows/checkpoints.yml @@ -1,4 +1,6 @@ name: Checkpoints Auto Update +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index fd37a830306..0066ee012d9 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -1,4 +1,6 @@ name: Code coverage +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/curio-devnet-publish.yml b/.github/workflows/curio-devnet-publish.yml index b019e06cc62..9f7b8685ee8 100644 --- a/.github/workflows/curio-devnet-publish.yml +++ b/.github/workflows/curio-devnet-publish.yml @@ -1,4 +1,7 @@ name: Curio devnet image +permissions: + contents: read + packages: write # Only build and publish this image on demand. # The compilation adds significant overhead to the CI and it is not supposed diff --git a/.github/workflows/docker-dev.yml b/.github/workflows/docker-dev.yml index a17b1b924e3..ec977bcf9ee 100644 --- a/.github/workflows/docker-dev.yml +++ b/.github/workflows/docker-dev.yml @@ -1,4 +1,7 @@ name: Build Dev Docker Image +permissions: + contents: read + packages: write concurrency: group: ${{ github.workflow }}-${{ inputs.git_ref }} diff --git a/.github/workflows/docker-latest-tag.yml b/.github/workflows/docker-latest-tag.yml index d28392466c1..9aa8f997b2e 100644 --- a/.github/workflows/docker-latest-tag.yml +++ b/.github/workflows/docker-latest-tag.yml @@ -1,6 +1,9 @@ # Re-tag the given image and push it to the ghcr.io # Preserves the old tag. name: Docker Latest tag +permissions: + contents: read + packages: write on: workflow_dispatch: diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index e003f0d40cf..594bd4c51c5 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -1,4 +1,6 @@ name: Docker lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b44ff2265da..dced3f98ede 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,4 +1,7 @@ name: Forest Docker +permissions: + contents: read + packages: write # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/dockerfile-check.yml b/.github/workflows/dockerfile-check.yml index 6f1727f090c..dcafe66e525 100644 --- a/.github/workflows/dockerfile-check.yml +++ b/.github/workflows/dockerfile-check.yml @@ -1,5 +1,8 @@ # Checks periodically that the Dockerfile builds successfully, and if it doesn't, it creates an issue with the error message. name: Dockerfile Check +permissions: + contents: read + issues: write on: workflow_dispatch: diff --git a/.github/workflows/docs-auto-update.yml b/.github/workflows/docs-auto-update.yml index d18009214d4..1d7bf11f5f1 100644 --- a/.github/workflows/docs-auto-update.yml +++ b/.github/workflows/docs-auto-update.yml @@ -1,5 +1,7 @@ # This workflows, run daily, updates the Forest CLI usage docs, and submits a PR with the changes. name: Update Forest usage docs +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/docs-check.yml b/.github/workflows/docs-check.yml index d9ff2a1b054..bec88d10f74 100644 --- a/.github/workflows/docs-check.yml +++ b/.github/workflows/docs-check.yml @@ -1,4 +1,6 @@ name: Docs Check +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/docs-required-override.yml b/.github/workflows/docs-required-override.yml index b10ed6d54d1..a523aab5235 100644 --- a/.github/workflows/docs-required-override.yml +++ b/.github/workflows/docs-required-override.yml @@ -2,6 +2,8 @@ # We check that changes affect only the documentation and that no other changes are present. If this is the case, we trigger the no-op jobs. name: Docs Required Override +permissions: + contents: read concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: "${{ github.ref != 'refs/heads/main' }}" diff --git a/.github/workflows/docs-rpc-auto-update.yml b/.github/workflows/docs-rpc-auto-update.yml index e8a5922eb38..260cc7beaa6 100644 --- a/.github/workflows/docs-rpc-auto-update.yml +++ b/.github/workflows/docs-rpc-auto-update.yml @@ -1,5 +1,7 @@ # This workflow, run daily, updates the Forest RPC reference docs, and submits a PR with the changes. name: Update Forest RPC reference docs +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/forest.yml b/.github/workflows/forest.yml index 6b620aa3f8e..8090d0fa0fe 100644 --- a/.github/workflows/forest.yml +++ b/.github/workflows/forest.yml @@ -1,4 +1,7 @@ name: Integration tests +permissions: + contents: read + issues: write concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index 00b1aea5193..510c6907feb 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -1,4 +1,6 @@ name: Link Checker +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/lists-lint.yml b/.github/workflows/lists-lint.yml index 9fd82a538b2..fa300cf5061 100644 --- a/.github/workflows/lists-lint.yml +++ b/.github/workflows/lists-lint.yml @@ -1,4 +1,6 @@ name: Lists lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/lotus-api-bump.yml b/.github/workflows/lotus-api-bump.yml index 1c71ea8eb92..e3db28aa7f3 100644 --- a/.github/workflows/lotus-api-bump.yml +++ b/.github/workflows/lotus-api-bump.yml @@ -1,6 +1,8 @@ # This workflows, run daily, updates the Lotus version in the JSON-RPC API tests to the latest release, # and submits a PR with the changes. name: Update Lotus version in API tests +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/lotus-devnet-publish.yml b/.github/workflows/lotus-devnet-publish.yml index 1f8aed8df19..29d84557205 100644 --- a/.github/workflows/lotus-devnet-publish.yml +++ b/.github/workflows/lotus-devnet-publish.yml @@ -1,4 +1,7 @@ name: Lotus devnet image +permissions: + contents: read + packages: write # Only build and publish this image on demand. # The compilation adds significant overhead to the CI and it is not supposed diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 01e0dbcf595..b0f4b6ec602 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -1,4 +1,6 @@ name: Python lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 41a3b66eed3..6be2770ffc0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,8 @@ on: jobs: build: name: Build + permissions: + contents: write runs-on: ${{ matrix.os }} strategy: matrix: @@ -55,6 +57,8 @@ jobs: publish: name: cargo publish + permissions: + contents: read runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/release_dispatch.yml b/.github/workflows/release_dispatch.yml index 8ba835dc265..3c1b4d48302 100644 --- a/.github/workflows/release_dispatch.yml +++ b/.github/workflows/release_dispatch.yml @@ -12,6 +12,8 @@ on: jobs: build: name: Build + permissions: + contents: write runs-on: ${{ matrix.os }} strategy: matrix: @@ -58,6 +60,8 @@ jobs: prerelease: true publish: name: cargo publish + permissions: + contents: read runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/rpc-parity-report.yml b/.github/workflows/rpc-parity-report.yml index 5135c717e4e..f08b8f77c16 100644 --- a/.github/workflows/rpc-parity-report.yml +++ b/.github/workflows/rpc-parity-report.yml @@ -1,4 +1,8 @@ name: RPC parity conformance report +permissions: + contents: write + issues: write + pull-requests: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/rpc-parity.yml b/.github/workflows/rpc-parity.yml index 132cc320bc0..492c29b7e01 100644 --- a/.github/workflows/rpc-parity.yml +++ b/.github/workflows/rpc-parity.yml @@ -1,4 +1,7 @@ name: RPC parity tests +permissions: + contents: read + issues: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml index 65725163c5b..97c1687cf4c 100644 --- a/.github/workflows/rubocop.yml +++ b/.github/workflows/rubocop.yml @@ -1,4 +1,6 @@ name: Rubocop +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/rust-lint.yml b/.github/workflows/rust-lint.yml index c7b774ef3f1..4ef9517bfa2 100644 --- a/.github/workflows/rust-lint.yml +++ b/.github/workflows/rust-lint.yml @@ -1,4 +1,6 @@ name: Rust code linters +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 60787833a02..643df4cc80d 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,4 +1,6 @@ name: Shellcheck +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/snapshot-parity.yml b/.github/workflows/snapshot-parity.yml index d9c8ff544bf..d88ad840eac 100644 --- a/.github/workflows/snapshot-parity.yml +++ b/.github/workflows/snapshot-parity.yml @@ -1,4 +1,7 @@ name: Snapshot parity test +permissions: + contents: read + issues: write on: workflow_dispatch: schedule: diff --git a/.github/workflows/this-month-in-forest-reminder.yml b/.github/workflows/this-month-in-forest-reminder.yml index 0979f9ceefe..2efc89cf1d8 100644 --- a/.github/workflows/this-month-in-forest-reminder.yml +++ b/.github/workflows/this-month-in-forest-reminder.yml @@ -1,4 +1,7 @@ name: This Month in Forest Reminder +permissions: + contents: read + issues: write on: workflow_dispatch: diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 26d07e4d514..4f13930c0df 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -1,4 +1,6 @@ name: Unit tests +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml index 3359666372a..043b9c815e2 100644 --- a/.github/workflows/yaml-lint.yml +++ b/.github/workflows/yaml-lint.yml @@ -1,4 +1,6 @@ name: YAML lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: