0
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp.git synced 2024-11-25 02:45:12 +00:00

[build, test] Harden workflows' security (#5410)

Authored by: sashashura
This commit is contained in:
Alex 2022-11-10 03:41:07 +02:00 committed by GitHub
parent ed6bec168d
commit c789fb7787
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 15 additions and 3 deletions

View file

@ -1,8 +1,12 @@
name: Build name: Build
on: workflow_dispatch on: workflow_dispatch
permissions:
contents: read
jobs: jobs:
prepare: prepare:
permissions:
contents: write # for push_release
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
version_suffix: ${{ steps.version_suffix.outputs.version_suffix }} version_suffix: ${{ steps.version_suffix.outputs.version_suffix }}
@ -69,9 +73,6 @@ jobs:
python pyinst.py --onedir python pyinst.py --onedir
(cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .) (cd ./dist/yt-dlp_linux && zip -r ../yt-dlp_linux.zip .)
python pyinst.py python pyinst.py
- name: Get SHA2-SUMS
id: get_sha
run: |
- name: Upload artifacts - name: Upload artifacts
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
@ -248,6 +249,8 @@ jobs:
publish_release: publish_release:
permissions:
contents: write # for action-gh-release
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy] needs: [prepare, build_unix, build_windows, build_windows32, build_macos, build_macos_legacy]

View file

@ -1,5 +1,8 @@
name: Core Tests name: Core Tests
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read
jobs: jobs:
tests: tests:
name: Core Tests name: Core Tests

View file

@ -1,5 +1,8 @@
name: Download Tests name: Download Tests
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read
jobs: jobs:
quick: quick:
name: Quick Download Tests name: Quick Download Tests

View file

@ -1,5 +1,8 @@
name: Quick Test name: Quick Test
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read
jobs: jobs:
tests: tests:
name: Core Test name: Core Test