Merge pull request #32 from tacaswell/harden_gha

maffettone · web-flow · commit 3c04e94538de · 2025-07-09T08:38:37.000-04:00
CI: Harden GHA configuration
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,4 +1,6 @@
 name: Documentation
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -14,6 +16,8 @@ jobs:
     steps:
 
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml
@@ -1,4 +1,6 @@
 name: Check Code Style
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -10,6 +12,8 @@ jobs:
     steps:
 
       - uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v2
 
diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml
@@ -26,7 +26,8 @@ jobs:
 
     - uses: actions/checkout@v2
       with:
-        fetch-depth: 1000  # should be enough to reach the most recent tag
+        fetch-depth: 1000
+        persist-credentials: false
 
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
@@ -51,7 +52,7 @@ jobs:
     - name: Deploy documentation
       # We pin to the SHA, not the tag, for security reasons.
       # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions
-      uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501  # v3.7.3
+      uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3
       with:
         deploy_key: ${{ secrets.ACTIONS_DOCUMENTATION_DEPLOY_KEY }}
         publish_branch: master
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
@@ -14,6 +14,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v2
       with:
diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml
@@ -1,4 +1,6 @@
 name: Unit Tests
+permissions:
+  contents: read
 
 on: [push, pull_request]
 
@@ -13,6 +15,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v2
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v2
       with:
