Merge 82f71512129b1d32603a6b5c695f5287e652b864 into db63fd15e0bc2e2de4cff0b1969b12c23508a8d7

Merge pull request #848 from arnehuang/add-permissions-block
Add empty permissions block at workflow level
2026-05-19 13:34:19 +00:00 · 2026-05-10 23:23:47 +01:00 · 2026-05-10 23:03:19 +02:00 · 2026-05-10 23:02:13 +02:00 · 2026-05-09 10:00:28 -07:00 · 2026-05-09 09:56:36 -07:00
3 changed files with 11 additions and 5 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -8,6 +8,8 @@ on:
    branches:
      - '**' #every branch

+permissions: {}
+
 jobs:
  setup:
    runs-on: ubuntu-24.04
@ -25,7 +27,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs: setup
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.ref }}
      - name: Login to Docker Hub
--- a/.github/workflows/release-dev-version.yml
+++ b/.github/workflows/release-dev-version.yml
@ -7,6 +7,8 @@ on:
        description: 'Version'
        required: true

+permissions: {}
+

 jobs:
  setup:
@ -24,7 +26,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs: setup
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.ref }}
      - name: Login to Docker Hub
--- a/.github/workflows/release-productive-version.yml
+++ b/.github/workflows/release-productive-version.yml
@ -7,6 +7,8 @@ on:
        description: 'Version'
        required: true

+permissions: {}
+

 jobs:
  setup:
@ -24,7 +26,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs: setup
    steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.ref }}
      - name: Login to Docker Hub
Author	SHA1	Message	Date
Gara Dorta	68ecd0df66	Merge 82f71512129b1d32603a6b5c695f5287e652b864 into db63fd15e0bc2e2de4cff0b1969b12c23508a8d7	2026-05-10 23:23:47 +01:00
Bernhard B.	db63fd15e0	Merge pull request #848 from arnehuang/add-permissions-block Add empty permissions block at workflow level	2026-05-10 23:03:19 +02:00
Bernhard B.	650367e88a	Merge pull request #847 from arnehuang/pin-actions-checkout-sha Pin actions/checkout to a commit SHA	2026-05-10 23:02:13 +02:00
Arne Huang	69457e8f81	Add empty permissions block at workflow level Caps GITHUB_TOKEN's blast radius. None of these workflows need any GitHub API write scope — they only push to Docker Hub — so the safest default is permissions: {}, matching the posture used by AsamK/signal-cli. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-09 10:00:28 -07:00
Arne Huang	2e8171d84c	Pin actions/checkout to a commit SHA Follow-up to #838: actions/checkout was the only third-party action left on a mutable ref (@master). Pin it to v6.0.2's commit SHA, matching the pattern used for docker/setup-qemu-action, docker/setup-buildx-action, and docker/login-action. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-09 09:56:36 -07:00