diff --git a/.github/workflows/black.yml b/.github/workflows/black.yml index e46b51e..c3ec149 100644 --- a/.github/workflows/black.yml +++ b/.github/workflows/black.yml @@ -1,4 +1,6 @@ name: Style - BLACK +permissions: + contents: read on: [push, pull_request] @@ -7,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 57fa344..39e4617 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -1,4 +1,6 @@ name: Documentation +permissions: + contents: read on: [push, pull_request] @@ -19,13 +21,15 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: python-version: 3.9 - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2 with: channels: conda-forge channel-priority: flexible diff --git a/.github/workflows/docs_publish.yml b/.github/workflows/docs_publish.yml index a65db37..73dda87 100644 --- a/.github/workflows/docs_publish.yml +++ b/.github/workflows/docs_publish.yml @@ -28,13 +28,15 @@ jobs: export REPOSITORY_NAME=${GITHUB_REPOSITORY#*/} echo "REPOSITORY_NAME=${REPOSITORY_NAME}" >> $GITHUB_ENV - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 with: python-version: 3.9 - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2 with: channels: conda-forge channel-priority: flexible @@ -77,7 +79,7 @@ jobs: - name: Deploy documentation to nsls-ii.github.io # We pin to the SHA, not the tag, for security reasons. # https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/security-hardening-for-github-actions#using-third-party-actions - uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 + uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3 with: deploy_key: ${{ secrets.ACTIONS_DOCUMENTATION_DEPLOY_KEY }} publish_branch: master diff --git a/.github/workflows/flake8.yml b/.github/workflows/flake8.yml index b746a8b..424281d 100644 --- a/.github/workflows/flake8.yml +++ b/.github/workflows/flake8.yml @@ -1,4 +1,6 @@ name: Style - FLAKE8 +permissions: + contents: read on: [push, pull_request] @@ -7,6 +9,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - uses: actions/setup-python@v2 - name: Install Dependencies run: | diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml index cf08702..4cfd1e4 100644 --- a/.github/workflows/python-publish.yml +++ b/.github/workflows/python-publish.yml @@ -16,6 +16,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v2 with: diff --git a/.github/workflows/testing.yml b/.github/workflows/testing.yml index 2758bb2..a5ebcd1 100644 --- a/.github/workflows/testing.yml +++ b/.github/workflows/testing.yml @@ -1,4 +1,6 @@ name: Tests +permissions: + contents: read on: push: @@ -24,6 +26,8 @@ jobs: steps: - uses: actions/checkout@v2 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v2 @@ -31,7 +35,7 @@ jobs: # This step is not expected to influence the test, since the test is run in Conda environment python-version: 3.9 - - uses: conda-incubator/setup-miniconda@v2 + - uses: conda-incubator/setup-miniconda@9f54435e0e72c53962ee863144e47a4b094bfd35 # v2 with: channels: conda-forge channel-priority: flexible