Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitHub Workflows security hardening #2938

Merged
merged 1 commit into from Oct 4, 2022
Merged

GitHub Workflows security hardening #2938

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
43 changes: 43 additions & 0 deletions .github/workflows/bors.yml
View file
Open in desktop
Expand Up @@ -6,8 +6,13 @@ on:
- auto-libc
- try

permissions: {}
jobs:
docker_linux_tier1:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: Docker Linux Tier1
runs-on: ubuntu-22.04
strategy:
Expand All @@ -28,6 +33,10 @@ jobs:
run: LIBC_CI=1 sh ./ci/run-docker.sh ${{ matrix.target }}

macos:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: macOS
runs-on: macos-12
strategy:
Expand All @@ -47,6 +56,10 @@ jobs:
run: LIBC_CI=1 sh ./ci/run.sh ${{ matrix.target }}

windows:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: Windows
runs-on: windows-2022
env:
Expand Down Expand Up @@ -83,6 +96,10 @@ jobs:
shell: bash

style_check:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: Style check
runs-on: ubuntu-22.04
steps:
Expand All @@ -96,6 +113,10 @@ jobs:
run: sh ci/style.sh

docker_linux_tier2:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: Docker Linux Tier2
needs: [docker_linux_tier1, style_check]
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -154,6 +175,10 @@ jobs:
# These targets are tier 3 or otherwise need to have CI build std via -Zbuild-std.
# Because of this, only the nightly compiler can be used on these targets.
docker_linux_build_std:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

if: ${{ false }} # This is currently broken
name: Docker Linux Build-Std Targets
needs: [docker_linux_tier1, style_check]
Expand All @@ -177,6 +202,10 @@ jobs:

# devkitpro's pacman needs to be connected from Docker.
docker_switch:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: Docker Switch
needs: [docker_linux_tier1, style_check]
runs-on: ubuntu-22.04
Expand All @@ -191,6 +220,10 @@ jobs:
run: LIBC_CI=1 sh ./ci/run-docker.sh switch

build_channels_linux:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: Build Channels Linux
needs: docker_linux_tier2
runs-on: ubuntu-22.04
Expand Down Expand Up @@ -221,6 +254,9 @@ jobs:
run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh

build_channels_macos:
permissions:
contents: read # to fetch code (actions/checkout)

name: Build Channels macOS
needs: macos
runs-on: macos-12
Expand Down Expand Up @@ -251,6 +287,9 @@ jobs:
run: LIBC_CI=1 TOOLCHAIN=${{ matrix.toolchain }} sh ./ci/build.sh

build_channels_windows:
permissions:
contents: read # to fetch code (actions/checkout)

name: Build Channels Windows
runs-on: windows-2022
env:
Expand Down Expand Up @@ -301,6 +340,10 @@ jobs:
run: sh ci/semver.sh macos

docs:
permissions:
actions: write # to cancel workflows (rust-lang/simpleinfra/github-actions/cancel-outdated-builds)
contents: read # to fetch code (actions/checkout)

name: Generate documentation
runs-on: ubuntu-22.04
needs: docker_linux_tier2
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/main.yml
View file
Open in desktop
Expand Up @@ -7,6 +7,9 @@ on:
branches:
- master

permissions:
contents: read # to fetch code (actions/checkout)

jobs:
docker_linux_tier1:
name: Docker Linux Tier1
Expand Down