[build, test] Harden workflows' security (#5410)

Authored by: sashashura
pull/5491/head
Alex 2 years ago committed by GitHub
parent ed6bec168d
commit c789fb7787
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -1,8 +1,12 @@
name: Build name: Build
on: workflow_dispatch on: workflow_dispatch
permissions:
contents: read
jobs: jobs:
prepare: prepare:
permissions:
contents: write # for push_release
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
version_suffix: ${{ steps.version_suffix.outputs.version_suffix }} version_suffix: ${{ steps.version_suffix.outputs.version_suffix }}
@ -69,9 +73,6 @@ jobs:
python pyinst.py --onedir python pyinst.py --onedir
(cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .) (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .)
python pyinst.py python pyinst.py
- name: Get SHA2-SUMS
id: get_sha
run: |
- name: Upload artifacts - name: Upload artifacts
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
@ -248,6 +249,8 @@ jobs:
publish_release: publish_release:
permissions:
contents: write # for action-gh-release
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy] needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy]

@ -1,5 +1,8 @@
name: Core Tests name: Core Tests
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read
jobs: jobs:
tests: tests:
name: Core Tests name: Core Tests

@ -1,5 +1,8 @@
name: Download Tests name: Download Tests
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read
jobs: jobs:
quick: quick:
name: Quick Download Tests name: Quick Download Tests

@ -1,5 +1,8 @@
name: Quick Test name: Quick Test
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read
jobs: jobs:
tests: tests:
name: Core Test name: Core Test

Loading…
Cancel
Save