add token permissions for CIs

bytecodealliance · Oct 18, 2024 · f4096a4 · f4096a4
1 parent 1af4740
commit f4096a4
Show file tree

Hide file tree

Showing 20 changed files with 63 additions and 4 deletions.
diff --git a/.github/workflows/build_docker_images.yml b/.github/workflows/build_docker_images.yml
@@ -15,6 +15,9 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: write # for uploading release artifacts
+
 jobs:
   build-and-push-images:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/build_iwasm_release.yml b/.github/workflows/build_iwasm_release.yml
@@ -31,6 +31,9 @@ on:
         type: string
         required: false
 
+permissions:
+  contents: write # for uploading release artifacts
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}

diff --git a/.github/workflows/build_llvm_libraries.yml b/.github/workflows/build_llvm_libraries.yml
@@ -27,6 +27,10 @@ on:
         description: "A cached key of LLVM libraries"
         value: ${{ jobs.build_llvm_libraries.outputs.key}}
 
+permissions:
+  contents: read
+  actions: write # for uploading cached artifact
+
 jobs:
   build_llvm_libraries:
     runs-on: ${{ inputs.os }}

diff --git a/.github/workflows/build_wamr_lldb.yml b/.github/workflows/build_wamr_lldb.yml
@@ -28,6 +28,9 @@ on:
         required: false
         default: "https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-20/wasi-sdk-20.0-linux.tar.gz"
 
+permissions:
+  contents: write # for uploading release artifacts
+
 jobs:
   try_reuse:
     uses: ./.github/workflows/reuse_latest_release_binaries.yml

diff --git a/.github/workflows/build_wamr_sdk.yml b/.github/workflows/build_wamr_sdk.yml
@@ -35,6 +35,9 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: write # for uploading release artifacts
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}

diff --git a/.github/workflows/build_wamr_vscode_ext.yml b/.github/workflows/build_wamr_vscode_ext.yml
@@ -14,6 +14,9 @@ on:
         type: string
         required: true
 
+permissions:
+  contents: write # for uploading release artifacts
+
 jobs:
   build:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/build_wamrc.yml b/.github/workflows/build_wamrc.yml
@@ -31,6 +31,9 @@ on:
         type: string
         required: false
 
+permissions:
+  contents: write # for uploading release artifacts
+
 jobs:
   build:
     runs-on: ${{ inputs.runner }}

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -19,6 +19,11 @@ on:
   # allow to be triggered manually
   workflow_dispatch:
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
     if: github.repository == 'bytecodealliance/wasm-micro-runtime'
@@ -30,10 +35,6 @@ jobs:
     # Consider using larger runners for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-13') || 'ubuntu-22.04' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
 
     strategy:
       fail-fast: false

diff --git a/.github/workflows/coding_guidelines.yml b/.github/workflows/coding_guidelines.yml
@@ -14,6 +14,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   compliance_job:
     runs-on: ubuntu-20.04

diff --git a/.github/workflows/compilation_on_android_ubuntu.yml b/.github/workflows/compilation_on_android_ubuntu.yml
@@ -70,6 +70,9 @@ env:
   MEMORY64_TEST_OPTIONS: "-s spec -W -b -P"
   MULTI_MEMORY_TEST_OPTIONS: "-s spec -E -b -P"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries_on_ubuntu_2204:
     uses: ./.github/workflows/build_llvm_libraries.yml

diff --git a/.github/workflows/compilation_on_macos.yml b/.github/workflows/compilation_on_macos.yml
@@ -52,6 +52,9 @@ env:
   LLVM_LAZY_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=1"
   LLVM_EAGER_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries_on_intel_macos:
     uses: ./.github/workflows/build_llvm_libraries.yml

diff --git a/.github/workflows/compilation_on_nuttx.yml b/.github/workflows/compilation_on_nuttx.yml
@@ -46,6 +46,9 @@ concurrency:
 env:
   WASI_SDK_PATH: "/opt/wasi-sdk"
 
+permissions:
+  contents: read
+
 jobs:
   build_iwasm_on_nuttx:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/compilation_on_sgx.yml b/.github/workflows/compilation_on_sgx.yml
@@ -54,6 +54,9 @@ env:
   LLVM_LAZY_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=1"
   LLVM_EAGER_JIT_BUILD_OPTIONS: "-DWAMR_BUILD_AOT=1 -DWAMR_BUILD_FAST_INTERP=0 -DWAMR_BUILD_INTERP=0 -DWAMR_BUILD_JIT=1 -DWAMR_BUILD_LAZY_JIT=0"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries:
     uses: ./.github/workflows/build_llvm_libraries.yml

diff --git a/.github/workflows/compilation_on_windows.yml b/.github/workflows/compilation_on_windows.yml
@@ -53,6 +53,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: windows-latest

diff --git a/.github/workflows/create_tag.yml b/.github/workflows/create_tag.yml
@@ -15,6 +15,9 @@ on:
         description: "the new tag just created"
         value: ${{ jobs.create_tag.outputs.new_tag}}
 
+permissions:
+  contents: write # create and push tags
+
 jobs:
   create_tag:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/hadolint_dockerfiles.yml b/.github/workflows/hadolint_dockerfiles.yml
@@ -28,6 +28,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   run-hadolint-on-dockerfiles:
     runs-on: ubuntu-22.04

diff --git a/.github/workflows/nightly_run.yml b/.github/workflows/nightly_run.yml
@@ -44,6 +44,9 @@ env:
   X86_32_TARGET_TEST_OPTIONS: "-m x86_32 -P"
   WASI_TEST_OPTIONS: "-s wasi_certification -w"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries_on_ubuntu_2004:
     uses: ./.github/workflows/build_llvm_libraries.yml

diff --git a/.github/workflows/release_process.yml b/.github/workflows/release_process.yml
@@ -18,6 +18,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: write # for creating realease and uploading release artifacts
+
 jobs:
   create_tag:
     uses: ./.github/workflows/create_tag.yml

diff --git a/.github/workflows/reuse_latest_release_binaries.yml b/.github/workflows/reuse_latest_release_binaries.yml
@@ -22,6 +22,9 @@ on:
       result:
         value: ${{ jobs.build.outputs.result }}
 
+permissions:
+  contents: write # for creating realease and uploading release artifacts
+
 jobs:
   reuse:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/spec_test_on_nuttx.yml b/.github/workflows/spec_test_on_nuttx.yml
@@ -29,6 +29,9 @@ env:
   LLVM_CACHE_SUFFIX: "build-llvm_libraries_ex"
   WASI_SDK_PATH: "/opt/wasi-sdk"
 
+permissions:
+  contents: read
+
 jobs:
   build_llvm_libraries:
     uses: ./.github/workflows/build_llvm_libraries.yml