1c282a9306
This sets the default permission for current CI workflows to only be able to read from the repository (scope: "contents"). When a used Github Action require additional permissions (like CodeQL) we grant that permission on job-level instead. This means that a compromised action will not be able to modify the repo or even steal secrets since all other permission-scopes are implicit set to "none", i.e. not permitted. This is recommended by [OpenSSF](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions). This PR includes a small fix for the possibility of missing server logs artifacts, found while verifying the permission. The `upload-artifact@v3` action will replace artifacts which already exists. Since both CI-jobs `test-external-standalone` and `test-external-nodebug` uses the same artifact name, when both jobs fail, we only get logs from the last finished job. This can be avoided by using unique artifact names. This PR is part of #211 More about permissions and scope can be found here: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions --------- Signed-off-by: Björn Svensson <bjorn.a.svensson@est.tech>
31 lines
668 B
YAML
31 lines
668 B
YAML
# A CI action that using codespell to check spell.
|
|
# .github/.codespellrc is a config file.
|
|
# .github/wordlist.txt is a list of words that will ignore word checks.
|
|
# More details please check the following link:
|
|
# https://github.com/codespell-project/codespell
|
|
name: Spellcheck
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build:
|
|
name: Spellcheck
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install typos
|
|
uses: taiki-e/install-action@v2.32.2
|
|
with:
|
|
tool: typos
|
|
|
|
- name: Spell check
|
|
run: typos --config=./.config/typos.toml
|