Commit 6f99862da8 for strongswan.org
commit 6f99862da8d9e72f6012aedc076aef8947d8a906
Author: Tobias Brunner <tobias@strongswan.org>
Date: Wed May 27 13:31:51 2026 +0200
github: Move permissions to the individual jobs
SonarQube complains about workflow-level "allow" permissions.
diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml
index 4d7c97fba3..bb6d2fa5ff 100644
--- a/.github/workflows/android.yml
+++ b/.github/workflows/android.yml
@@ -6,9 +6,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
-permissions:
- actions: write
-
env:
CCACHE_BASEDIR: ${{ github.workspace }}
CCACHE_COMPRESS: true
@@ -32,6 +29,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
+ permissions:
+ actions: write
env:
TEST: android
# since the NDK might be newly installed, we have to use this to avoid cache misses
diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml
index 76d74b9492..eea8a8278b 100644
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -2,12 +2,11 @@ name: Cache cleanup
on: delete
-permissions:
- actions: write
-
jobs:
cleanup:
runs-on: ubuntu-slim
+ permissions:
+ actions: write
steps:
- env:
GH_TOKEN: ${{ github.token }}
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 8ed484b011..5df1a84c35 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -6,9 +6,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
-permissions:
- actions: write
-
env:
# this test case does not actually test anything but tries to access system
# directories that might be inaccessible on build hosts
@@ -35,6 +32,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ${{ matrix.os || 'ubuntu-latest' }}
+ permissions:
+ actions: write
strategy:
fail-fast: false
matrix:
@@ -160,6 +159,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ${{ matrix.os }}
+ permissions:
+ actions: write
strategy:
fail-fast: false
matrix:
@@ -260,6 +261,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ${{ matrix.os }}
+ permissions:
+ actions: write
strategy:
matrix:
os: [ ubuntu-22.04 ]
@@ -342,6 +345,8 @@ jobs:
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
container: alpine:latest
+ permissions:
+ actions: write
env:
TESTS_REDUCED_KEYLENGTHS: yes
TEST: alpine
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 3a5118452b..2bb052673a 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -6,9 +6,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
-permissions:
- actions: write
-
env:
TESTS_REDUCED_KEYLENGTHS: yes
CCACHE_BASEDIR: ${{ github.workspace }}
@@ -36,6 +33,8 @@ jobs:
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ${{ matrix.os }}
timeout-minutes: 20
+ permissions:
+ actions: write
env:
TEST: macos
steps:
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index f28facbe91..988cb092e4 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -6,9 +6,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
-permissions:
- actions: write
-
env:
CCACHE_BASEDIR: ${{ github.workspace }}
CCACHE_COMPRESS: true
@@ -31,6 +28,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
+ permissions:
+ actions: write
env:
TEST: sonarcloud
steps:
diff --git a/.github/workflows/tkm.yml b/.github/workflows/tkm.yml
index 44fe35e958..902e048972 100644
--- a/.github/workflows/tkm.yml
+++ b/.github/workflows/tkm.yml
@@ -6,9 +6,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
-permissions:
- actions: write
-
env:
CCACHE_DIR: ${{ github.workspace }}/.ccache
CCACHE_CONTAINER: /root/.ccache
@@ -32,6 +29,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
+ permissions:
+ actions: write
env:
TEST: tkm
steps:
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index 039085458a..e3299eb629 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -6,9 +6,6 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
-permissions:
- actions: write
-
env:
TESTS_REDUCED_KEYLENGTHS: yes
CCACHE_COMPRESS: true
@@ -34,6 +31,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: ubuntu-latest
+ permissions:
+ actions: write
strategy:
matrix:
test: [ win64, win32 ]
@@ -80,6 +79,8 @@ jobs:
needs: pre-check
if: ${{ needs.pre-check.outputs.should_skip != 'true' }}
runs-on: windows-latest
+ permissions:
+ actions: write
strategy:
matrix:
include: