diff --git a/.github/workflows/cmake_build.yml b/.github/workflows/cmake_build.yml index fbea93b4d..660d381d8 100644 --- a/.github/workflows/cmake_build.yml +++ b/.github/workflows/cmake_build.yml @@ -11,6 +11,20 @@ defaults: run: shell: bash +# See https://docs.github.com/en/rest/reference/permissions-required-for-github-apps +# for information on what these individual permissions represent/control +permissions: + actions: none + checks: none + contents: read + deployments: none + issues: none + packages: read + pull-requests: none + repository-projects: none + security-events: none + statuses: read + jobs: skip_test: @@ -18,16 +32,6 @@ jobs: runs-on: ubuntu-latest permissions: actions: write - checks: read - contents: read - deployments: read - issues: read - discussions: read - packages: read - pull-requests: read - repository-projects: read - security-events: read - statuses: read outputs: should_skip: ${{ steps.skip_check.outputs.should_skip }} steps: @@ -46,6 +50,8 @@ jobs: if: ${{ needs.skip_test.outputs.should_skip != 'true' }} name: ${{ matrix.config.name }} runs-on: ${{ matrix.config.os }} + permissions: + packages: write strategy: fail-fast: false matrix: @@ -198,11 +204,7 @@ jobs: rm ./nuget.config nuget sources add -Name tenacityteam_github_auto -Source https://nuget.pkg.github.com/tenacityteam/index.json -Username tenacityteam -Password ${{ secrets.GITHUB_TOKEN }} -StorePasswordInClearText -ForceEnglishOutput -NonInteractive nuget setapikey ${{ secrets.GITHUB_TOKEN }} -Source tenacityteam_github_auto -ForceEnglishOutput -NonInteractive - if [[ ${{ github.event_name }} == 'push' ]]; then - echo "VCPKG_BINARY_SOURCES=clear;nuget,tenacityteam_github_auto,readwrite;" >> ${GITHUB_ENV} - else - echo "VCPKG_BINARY_SOURCES=clear;nuget,tenacityteam_github_auto,read;" >> ${GITHUB_ENV} - fi + echo "VCPKG_BINARY_SOURCES=clear;nuget,tenacityteam_github_auto,readwrite;" >> ${GITHUB_ENV} - name: "[Linux] Install dependencies" if: runner.os == 'Linux'