To: vim_dev@googlegroups.com Subject: Patch 9.0.0593 Fcc: outbox From: Bram Moolenaar Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ------------ Patch 9.0.0593 Problem: CI actions have too many permissions. Solution: Restrict permissions to what is required. (closes #11223) Files: .github/workflows/ci.yml, .github/workflows/codeql-analysis.yml, .github/workflows/coverity.yml *** ../vim-9.0.0592/.github/workflows/ci.yml 2022-09-24 13:00:50.462659700 +0100 --- .github/workflows/ci.yml 2022-09-26 15:48:22.684145743 +0100 *************** *** 12,17 **** --- 12,20 ---- group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true + permissions: + contents: read # to fetch code (actions/checkout) + jobs: linux: runs-on: ubuntu-20.04 *** ../vim-9.0.0592/.github/workflows/codeql-analysis.yml 2022-06-01 21:23:55.000000000 +0100 --- .github/workflows/codeql-analysis.yml 2022-09-26 15:48:22.684145743 +0100 *************** *** 21,28 **** --- 21,35 ---- group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }} cancel-in-progress: true + permissions: + contents: read # to fetch code (actions/checkout) + jobs: analyze: + permissions: + contents: read # to fetch code (actions/checkout) + security-events: write # (github/codeql-action/autobuild) + name: Analyze runs-on: ubuntu-latest *** ../vim-9.0.0592/.github/workflows/coverity.yml 2022-08-28 17:59:02.544645487 +0100 --- .github/workflows/coverity.yml 2022-09-26 15:48:22.684145743 +0100 *************** *** 4,9 **** --- 4,12 ---- - cron: '42 0 * * *' # Run once per day, to avoid Coverity's submission limits workflow_dispatch: + permissions: + contents: read # to fetch code (actions/checkout) + jobs: scan: runs-on: ubuntu-20.04 *** ../vim-9.0.0592/src/version.c 2022-09-26 15:18:43.782952802 +0100 --- src/version.c 2022-09-26 15:50:23.011722679 +0100 *************** *** 701,702 **** --- 701,704 ---- { /* Add new patch number below this line */ + /**/ + 593, /**/ -- Rule #1: Don't give somebody a tool that he's going to hurt himself with. /// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\ /// \\\ \\\ sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ /// \\\ help me help AIDS victims -- http://ICCF-Holland.org ///