diff --git a/.github/workflows/bump-aztec-packages-commit.yml b/.github/workflows/bump-aztec-packages-commit.yml index 0fbad65aa9a..2cb662b455f 100644 --- a/.github/workflows/bump-aztec-packages-commit.yml +++ b/.github/workflows/bump-aztec-packages-commit.yml @@ -11,6 +11,9 @@ jobs: bump-commit: name: Update external repo pinned commits runs-on: ubuntu-22.04 + permissions: + contents: write + pull-requests: write steps: - name: Checkout repo uses: actions/checkout@v5 @@ -20,7 +23,7 @@ jobs: - name: Check for existing PR id: pr-check run: | - set -xue # print commands + set -xue # print commands PR_URL=$(gh pr list --repo noir-lang/noir --head bump-aztec-packages --json url --jq ".[0].url") echo "pr_url=$PR_URL" >> $GITHUB_OUTPUT env: @@ -29,8 +32,8 @@ jobs: - name: Configure git run: | git config user.name noirwhal - git config user.email tomfrench@aztecprotocol.com - + git config user.email tomfrench@aztecprotocol.com + - name: Update commit run: | git checkout bump-aztec-packages || git checkout -b bump-aztec-packages diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml index bb05c5454e5..26bfa8b2dd8 100644 --- a/.github/workflows/cache-cleanup.yml +++ b/.github/workflows/cache-cleanup.yml @@ -13,15 +13,17 @@ on: jobs: cleanup: runs-on: ubuntu-22.04 + permissions: + contents: write steps: - name: Cleanup run: | gh extension install actions/gh-actions-cache - + echo "Fetching list of cache key" cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 ) - ## Setting this to not fail the workflow while deleting cache keys. + ## Setting this to not fail the workflow while deleting cache keys. set +e echo "Deleting caches..." for cacheKey in $cacheKeysForPR diff --git a/.github/workflows/deny.yml b/.github/workflows/deny.yml index f1465a810ac..874803accc0 100644 --- a/.github/workflows/deny.yml +++ b/.github/workflows/deny.yml @@ -19,6 +19,8 @@ jobs: deny: name: deny runs-on: ubuntu-22.04 + permissions: + contents: read steps: - uses: actions/checkout@v5 - uses: EmbarkStudios/cargo-deny-action@30f817c6f72275c6d54dc744fbca09ebc958599f diff --git a/.github/workflows/docs-dead-links.yml b/.github/workflows/docs-dead-links.yml index b46c5393f8d..818809ffdbf 100644 --- a/.github/workflows/docs-dead-links.yml +++ b/.github/workflows/docs-dead-links.yml @@ -14,6 +14,9 @@ concurrency: jobs: markdown-link-check: runs-on: ubuntu-22.04 + permissions: + contents: read + issues: write steps: - uses: actions/checkout@master - uses: gaurav-nelson/github-action-markdown-link-check@v1 diff --git a/.github/workflows/formatting.yml b/.github/workflows/formatting.yml index 44b4308f175..dfb01b46165 100644 --- a/.github/workflows/formatting.yml +++ b/.github/workflows/formatting.yml @@ -17,6 +17,8 @@ jobs: name: cargo clippy runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -45,6 +47,8 @@ jobs: name: cargo fmt runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -71,6 +75,8 @@ jobs: name: cargo doc runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -99,6 +105,8 @@ jobs: name: eslint runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -115,6 +123,8 @@ jobs: build-nargo: runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout Noir repo @@ -151,6 +161,8 @@ jobs: name: Nargo fmt runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -180,6 +192,8 @@ jobs: - rustdoc - eslint - nargo_fmt + permissions: + contents: read steps: - name: Report overall success diff --git a/.github/workflows/nightly-fuzz-test.yml b/.github/workflows/nightly-fuzz-test.yml index b4e78b35015..b22c149f342 100644 --- a/.github/workflows/nightly-fuzz-test.yml +++ b/.github/workflows/nightly-fuzz-test.yml @@ -19,6 +19,8 @@ env: jobs: ast-fuzz: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v5 diff --git a/.github/workflows/publish-acvm.yml b/.github/workflows/publish-acvm.yml index 00400a5133a..341f3742315 100644 --- a/.github/workflows/publish-acvm.yml +++ b/.github/workflows/publish-acvm.yml @@ -11,6 +11,8 @@ jobs: publish: name: Publish in order runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 037c7d70e91..579a6ebb1b8 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -11,6 +11,8 @@ jobs: publish-docs: name: Publish docs runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: Checkout release branch diff --git a/.github/workflows/publish-nargo.yml b/.github/workflows/publish-nargo.yml index b31fe7be727..400d8894815 100644 --- a/.github/workflows/publish-nargo.yml +++ b/.github/workflows/publish-nargo.yml @@ -31,6 +31,8 @@ jobs: matrix: target: [x86_64-apple-darwin, aarch64-apple-darwin] timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -128,6 +130,8 @@ jobs: matrix: target: [x86_64-unknown-linux-gnu, x86_64-unknown-linux-musl, aarch64-unknown-linux-gnu] timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout diff --git a/.github/workflows/pull-request-title.yml b/.github/workflows/pull-request-title.yml index 4f15c9dbe88..35bb01b16eb 100644 --- a/.github/workflows/pull-request-title.yml +++ b/.github/workflows/pull-request-title.yml @@ -16,6 +16,8 @@ jobs: conventional-title: name: Validate PR title is Conventional Commit runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: Check title if: github.event_name == 'pull_request_target' diff --git a/.github/workflows/recrawler.yml b/.github/workflows/recrawler.yml index 808e5819353..986e34e9d62 100644 --- a/.github/workflows/recrawler.yml +++ b/.github/workflows/recrawler.yml @@ -8,6 +8,8 @@ jobs: algolia_recrawl: name: Algolia Recrawl runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: Algolia crawler creation and crawl uses: algolia/algoliasearch-crawler-github-actions@v1.1.0 diff --git a/.github/workflows/rustdoc.yml b/.github/workflows/rustdoc.yml index b936f43ad21..8bd765bac6e 100644 --- a/.github/workflows/rustdoc.yml +++ b/.github/workflows/rustdoc.yml @@ -14,6 +14,8 @@ jobs: build: name: Build runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v5 @@ -54,6 +56,8 @@ jobs: name: Deploy runs-on: ubuntu-22.04 needs: build + permissions: + contents: read steps: - uses: actions/checkout@v5 with: diff --git a/.github/workflows/spellcheck.yml b/.github/workflows/spellcheck.yml index 3956c83be73..7411db8fcbc 100644 --- a/.github/workflows/spellcheck.yml +++ b/.github/workflows/spellcheck.yml @@ -11,6 +11,8 @@ jobs: code: name: Code runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 @@ -26,6 +28,8 @@ jobs: docs: name: Documentation runs-on: ubuntu-22.04 + permissions: + contents: read steps: - name: Checkout sources uses: actions/checkout@v5 diff --git a/.github/workflows/test-js-packages.yml b/.github/workflows/test-js-packages.yml index 9a5f082b07c..63a452bf226 100644 --- a/.github/workflows/test-js-packages.yml +++ b/.github/workflows/test-js-packages.yml @@ -16,6 +16,8 @@ jobs: critical-library-list: name: Load critical library list runs-on: ubuntu-22.04 + permissions: + contents: read outputs: libraries: ${{ steps.get_critical_libraries.outputs.libraries }} @@ -35,6 +37,8 @@ jobs: yarn-lock: runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -48,6 +52,8 @@ jobs: build-nargo: runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout Noir repo @@ -77,6 +83,8 @@ jobs: build-noir-execute: runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout Noir repo @@ -106,6 +114,8 @@ jobs: build-noirc-abi: runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout Noir repo @@ -140,6 +150,8 @@ jobs: build-noir-wasm: runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout sources @@ -177,6 +189,8 @@ jobs: build-acvm-js: runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout sources @@ -215,6 +229,8 @@ jobs: name: ACVM JS (Node.js) runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout sources @@ -237,6 +253,8 @@ jobs: name: ACVM JS (Browser) runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout sources @@ -264,6 +282,8 @@ jobs: name: noirc_abi runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout sources @@ -294,6 +314,8 @@ jobs: name: Noir JS runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -332,6 +354,8 @@ jobs: name: noir_wasm runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout sources @@ -368,6 +392,8 @@ jobs: name: noir_codegen runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -407,6 +433,8 @@ jobs: runs-on: ubuntu-24.04 needs: [build-acvm-js, build-noir-wasm, build-nargo, build-noirc-abi] timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -458,6 +486,8 @@ jobs: runs-on: ubuntu-22.04 needs: [build-acvm-js, build-noir-wasm, build-noirc-abi] timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -505,6 +535,8 @@ jobs: runs-on: ubuntu-24.04 needs: [build-nargo, build-noir-execute, build-acvm-js, build-noirc-abi] timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -559,6 +591,8 @@ jobs: needs: [build-nargo, critical-library-list] runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -637,10 +671,12 @@ jobs: fi compile-noir-contracts: + name: Compile `noir-contracts` zero inliner aggressiveness needs: [build-nargo] runs-on: ubuntu-22.04 timeout-minutes: 30 - name: Compile `noir-contracts` zero inliner aggressiveness + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@v5 @@ -734,6 +770,8 @@ jobs: - test-integration-browser - test-examples - compile-noir-contracts + permissions: + contents: read steps: - name: Report overall success diff --git a/.github/workflows/test-rust-workspace-arm64.yml b/.github/workflows/test-rust-workspace-arm64.yml index c6a82fc8c98..a9bb6fc3301 100644 --- a/.github/workflows/test-rust-workspace-arm64.yml +++ b/.github/workflows/test-rust-workspace-arm64.yml @@ -16,6 +16,8 @@ jobs: name: Build test artifacts runs-on: macos-latest timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -53,6 +55,8 @@ jobs: runs-on: macos-latest needs: [build-test-artifacts] timeout-minutes: 15 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -90,6 +94,8 @@ jobs: if: ${{ always() }} needs: - run-tests + permissions: + contents: read steps: - name: Report overall success diff --git a/.github/workflows/test-rust-workspace-msrv.yml b/.github/workflows/test-rust-workspace-msrv.yml index 293e07fdf07..228b431549a 100644 --- a/.github/workflows/test-rust-workspace-msrv.yml +++ b/.github/workflows/test-rust-workspace-msrv.yml @@ -23,6 +23,8 @@ jobs: name: Build test artifacts runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -67,6 +69,8 @@ jobs: runs-on: ubuntu-22.04 needs: [build-test-artifacts] timeout-minutes: 15 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -104,6 +108,8 @@ jobs: if: ${{ always() }} needs: - run-tests + permissions: + contents: read steps: - name: Report overall success diff --git a/.github/workflows/test-rust-workspace.yml b/.github/workflows/test-rust-workspace.yml index c336e4972be..b9dc27f1bd2 100644 --- a/.github/workflows/test-rust-workspace.yml +++ b/.github/workflows/test-rust-workspace.yml @@ -17,6 +17,8 @@ jobs: name: Build test artifacts runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read steps: - name: Checkout @@ -54,6 +56,8 @@ jobs: runs-on: ubuntu-22.04 needs: [build-test-artifacts] timeout-minutes: 15 + permissions: + contents: read strategy: fail-fast: false matrix: @@ -89,6 +93,9 @@ jobs: name: Check for pending snapshots runs-on: ubuntu-22.04 timeout-minutes: 30 + permissions: + contents: read + steps: - name: Checkout @@ -110,6 +117,8 @@ jobs: needs: - run-tests - check-pending-snapshots + permissions: + contents: read steps: - name: Report overall success