diff options
| author | honorless <[email protected]> | 2024-03-25 14:26:35 -0400 |
|---|---|---|
| committer | Pete Johanson <[email protected]> | 2024-06-24 13:41:03 -0600 |
| commit | 7c9477be6ed3b2b05b96cb0210f9ec2724f09ad5 (patch) | |
| tree | bd3f189afa9f49a6facb2400fe4dd8ca3b156e79 /.github | |
| parent | 0bea7832e99a2c7cc0c33c68de8abbd2e52c844c (diff) | |
| download | zmk-7c9477be6ed3b2b05b96cb0210f9ec2724f09ad5.tar.gz zmk-7c9477be6ed3b2b05b96cb0210f9ec2724f09ad5.zip | |
ci(build): improve security posture
* Limit unnecessary permissions.
* Avoid storing credentials.
Diffstat (limited to '.github')
| -rw-r--r-- | .github/workflows/build.yml | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 804c35f1eb..b54c9eefa9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -12,6 +12,8 @@ on: schedule: - cron: "22 4 * * *" +permissions: {} + jobs: build: if: ${{ always() }} @@ -25,6 +27,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache west modules uses: actions/cache@v4 env: @@ -179,6 +183,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Use Node.js uses: actions/setup-node@v4 with: @@ -335,6 +341,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - name: Use Node.js uses: actions/setup-node@v4 with: @@ -415,6 +423,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v4 + with: + persist-credentials: false - uses: tj-actions/changed-files@v44 id: changed-files with: |