[ci] Explicitly declare permissions and limit credentials (#15324)

Authored by: bashonly
2025-12-26 01:48:53 +00:00 · 2025-12-19 13:22:23 -06:00
parent 825648a740
commit a6a8f6b6d6
13 changed files with 96 additions and 43 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -74,8 +74,7 @@ on:
        default: true
        type: boolean

-permissions:
-  contents: read
+permissions: {}

 jobs:
  process:
@@ -186,8 +185,10 @@ jobs:
              f.write(f'matrix={json.dumps(matrix)}')

  unix:
-    needs: process
+    needs: [process]
    if: inputs.unix
+    permissions:
+      contents: read
    runs-on: ubuntu-latest
    env:
      CHANNEL: ${{ inputs.channel }}
@@ -199,6 +200,7 @@ jobs:
      - uses: actions/checkout@v6
        with:
          fetch-depth: 0  # Needed for changelog
+          persist-credentials: false

      - uses: actions/setup-python@v6
        with:
@@ -239,8 +241,10 @@ jobs:

  linux:
    name: ${{ matrix.os }} (${{ matrix.arch }})
+    needs: [process]
    if: inputs.linux || inputs.linux_armv7l || inputs.musllinux
-    needs: process
+    permissions:
+      contents: read
    runs-on: ${{ matrix.runner }}
    strategy:
      fail-fast: false
@@ -258,6 +262,8 @@ jobs:

    steps:
      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false

      - name: Cache requirements
        if: matrix.cache_requirements
@@ -308,7 +314,7 @@ jobs:
          compression-level: 0

  macos:
-    needs: process
+    needs: [process]
    if: inputs.macos
    permissions:
      contents: read
@@ -321,6 +327,9 @@ jobs:

    steps:
      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
      # NB: Building universal2 does not work with python from actions/setup-python

      - name: Cache requirements
@@ -409,7 +418,7 @@ jobs:

  windows:
    name: windows (${{ matrix.arch }})
-    needs: process
+    needs: [process]
    if: inputs.windows
    permissions:
      contents: read
@@ -451,6 +460,9 @@ jobs:

    steps:
      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+
      - uses: actions/setup-python@v6
        with:
          python-version: ${{ matrix.python_version }}
@@ -528,13 +540,13 @@ jobs:
          compression-level: 0

  meta_files:
-    if: always() && !cancelled()
    needs:
      - process
      - unix
      - linux
      - macos
      - windows
+    if: always() && !failure() && !cancelled()
    runs-on: ubuntu-latest
    steps:
      - name: Download artifacts
@@ -600,7 +612,7 @@ jobs:
          GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
        if: env.GPG_SIGNING_KEY
        run: |
-          gpg --batch --import <<< "${{ secrets.GPG_SIGNING_KEY }}"
+          gpg --batch --import <<< "${GPG_SIGNING_KEY}"
          for signfile in ./SHA*SUMS; do
            gpg --batch --detach-sign "$signfile"
          done