diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index b65d368b..b6a2ce20 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -1,4 +1,6 @@ name: Style - BLACK +permissions: + contents: read on: [push, pull_request] @@ -7,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 with: python-version: 3.11 diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 3d2131dc..32a896ef 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,6 @@ name: Documentation +permissions: + contents: read on: [push, pull_request] @@ -13,6 +15,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: diff --git a/.github/workflows/docs_publish.yml b/.github/workflows/docs_publish.yml index b68875ef..46a02ef0 100644 --- a/.github/workflows/docs_publish.yml +++ b/.github/workflows/docs_publish.yml @@ -21,6 +21,8 @@ jobs: export REPOSITORY_NAME=${GITHUB_REPOSITORY#*/} echo "REPOSITORY_NAME=${REPOSITORY_NAME}" >> $GITHUB_ENV - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: @@ -42,7 +44,7 @@ jobs: - name: Deploy documentation to nsls-ii.github.io # We pin to the SHA, not the tag, for security reasons. # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions - uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 + uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 with: deploy_key: ${{ secrets.ACTIONS_DOCUMENTATION_DEPLOY_KEY }} publish_branch: master diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml index a75461e6..db626ed5 100644 --- a/.github/workflows/flake8.yml +++ b/.github/workflows/flake8.yml @@ -1,4 +1,6 @@ name: Style - FLAKE8 +permissions: + contents: read on: [push, pull_request] @@ -7,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/isort.yml b/.github/workflows/isort.yml index 18647070..6975d550 100644 --- a/.github/workflows/isort.yml +++ b/.github/workflows/isort.yml @@ -1,4 +1,6 @@ name: Check Code Style - ISORT +permissions: + contents: read on: [push, pull_request] @@ -7,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index 941d419b..942432ac 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -16,6 +16,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 7256dbfa..9bae88a7 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,4 +1,6 @@ name: Tests +permissions: + contents: read on: push: @@ -43,6 +45,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 @@ -50,7 +54,7 @@ jobs: # This step is not expected to influence the test, since the test is run in Conda environment python-version: 3.9 - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2 with: # miniforge-variant: Mambaforge miniforge-version: latest