diff --git a/ci/gradle.yml b/ci/gradle.yml index 8e0d1e4..4642c75 100644 --- a/ci/gradle.yml +++ b/ci/gradle.yml @@ -13,6 +13,9 @@ on: pull_request: branches: [ $default-branch ] +permissions: + contents: read + jobs: build: diff --git a/ci/msbuild.yml b/ci/msbuild.yml index 3cd8f01..c50354e 100644 --- a/ci/msbuild.yml +++ b/ci/msbuild.yml @@ -15,6 +15,9 @@ env: # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix BUILD_CONFIGURATION: Release +permissions: + contents: read + jobs: build: runs-on: windows-latest diff --git a/ci/python-publish.yml b/ci/python-publish.yml index f55528c..ec70354 100644 --- a/ci/python-publish.yml +++ b/ci/python-publish.yml @@ -12,6 +12,9 @@ on: release: types: [published] +permissions: + contents: read + jobs: deploy: diff --git a/code-scanning/codescan.yml b/code-scanning/codescan.yml index 3b24d9f..92707b1 100644 --- a/code-scanning/codescan.yml +++ b/code-scanning/codescan.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/code-scanning/ossar.yml b/code-scanning/ossar.yml index 01af5af..cbef5a2 100644 --- a/code-scanning/ossar.yml +++ b/code-scanning/ossar.yml @@ -17,10 +17,16 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: OSSAR-Scan: # OSSAR runs on windows-latest. # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: windows-latest steps: diff --git a/code-scanning/powershell.yml b/code-scanning/powershell.yml index c50f268..1d72a9b 100644 --- a/code-scanning/powershell.yml +++ b/code-scanning/powershell.yml @@ -17,8 +17,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results name: PSScriptAnalyzer runs-on: ubuntu-latest steps: diff --git a/code-scanning/snyk-container.yml b/code-scanning/snyk-container.yml index 874f43b..0fbbf87 100644 --- a/code-scanning/snyk-container.yml +++ b/code-scanning/snyk-container.yml @@ -22,8 +22,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/snyk-infrastructure.yml b/code-scanning/snyk-infrastructure.yml index f4e9b8c..a685323 100644 --- a/code-scanning/snyk-infrastructure.yml +++ b/code-scanning/snyk-infrastructure.yml @@ -21,8 +21,14 @@ on: schedule: - cron: $cron-weekly +permissions: + contents: read + jobs: snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/code-scanning/xanitizer.yml b/code-scanning/xanitizer.yml index 48249fc..3462eaa 100644 --- a/code-scanning/xanitizer.yml +++ b/code-scanning/xanitizer.yml @@ -42,9 +42,15 @@ on: - cron: $cron-weekly workflow_dispatch: +permissions: + contents: read + jobs: xanitizer-security-analysis: # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-latest steps: diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml index 841a2fd..d7c27d9 100644 --- a/deployments/alibabacloud.yml +++ b/deployments/alibabacloud.yml @@ -40,6 +40,9 @@ env: ACR_EE_IMAGE: repo ACR_EE_TAG: ${{ github.sha }} +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest diff --git a/deployments/azure-webapps-java-jar.yml b/deployments/azure-webapps-java-jar.yml index 5f58dbf..d29b0c9 100644 --- a/deployments/azure-webapps-java-jar.yml +++ b/deployments/azure-webapps-java-jar.yml @@ -22,6 +22,7 @@ name: Build and deploy JAR app to Azure Web App env: AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution on: push: @@ -40,6 +41,7 @@ jobs: uses: actions/setup-java@v3.0.0 with: java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} cache: 'maven' - name: Build with Maven