Merge pull request #171 from scott-wilson/fix_security_alerts

Make workflows read only by default
scott-wilson · Apr 5, 2024 · 16a651b · 16a651b
2 parents d3747f5 + af722cd
commit 16a651b
Show file tree

Hide file tree

Showing 7 changed files with 27 additions and 6 deletions.
diff --git a/.github/workflows/dependabot_reviewer.yml b/.github/workflows/dependabot_reviewer.yml
@@ -3,13 +3,17 @@ name: Dependabot reviewer
 on: pull_request_target
 
 permissions:
-  pull-requests: write
-  contents: write
+  contents: read
 
 jobs:
   review-dependabot-pr:
     runs-on: ubuntu-latest
     if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
+
+    permissions:
+      pull-requests: write
+      contents: write
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0

diff --git a/.github/workflows/rust-audit.yml b/.github/workflows/rust-audit.yml
@@ -4,6 +4,9 @@ on:
   schedule:
     - cron: "0 0 * * 1"
 
+permissions:
+  contents: read
+
 jobs:
   audit_rust:
     name: Audit Rust

diff --git a/.github/workflows/test_suite_c.yml b/.github/workflows/test_suite_c.yml
@@ -21,6 +21,9 @@ on:
       - deny.toml
       - .gitmodules
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: C test

diff --git a/.github/workflows/test_suite_cpp.yml b/.github/workflows/test_suite_cpp.yml
@@ -21,6 +21,9 @@ on:
       - deny.toml
       - .gitmodules
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: C++ test

diff --git a/.github/workflows/test_suite_python.yml b/.github/workflows/test_suite_python.yml
@@ -21,6 +21,9 @@ on:
       - deny.toml
       - .gitmodules
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Python test

diff --git a/.github/workflows/test_suite_rust.yml b/.github/workflows/test_suite_rust.yml
@@ -19,6 +19,9 @@ on:
       - Cargo.toml
       - deny.toml
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Rust test

diff --git a/bindings/python/src/check_wrapper.rs b/bindings/python/src/check_wrapper.rs
@@ -48,7 +48,7 @@ impl Check for CheckWrapper {
     type Items = Vec<ItemWrapper>;
 
     fn check(&self) -> checks::CheckResult<Self::Item, Self::Items> {
-        match Python::with_gil(|py| {
+        let result = Python::with_gil(|py| {
             let result = self.check.call_method0(py, intern!(py, "check"))?;
 
             let status = result
@@ -76,7 +76,8 @@ impl Check for CheckWrapper {
             Ok::<checks::CheckResult<ItemWrapper, Vec<ItemWrapper>>, PyErr>(
                 checks::CheckResult::new(status, message, items, can_fix, can_skip, None),
             )
-        }) {
+        });
+        match result {
             Ok(result) => result,
             Err(err) => checks::CheckResult::new(
                 checks::Status::SystemError,
@@ -170,7 +171,7 @@ impl AsyncCheck for AsyncCheckWrapper {
             }
         };
 
-        match Python::with_gil(|py| {
+        let result = Python::with_gil(|py| {
             let result = result?;
 
             let status = result
@@ -198,7 +199,8 @@ impl AsyncCheck for AsyncCheckWrapper {
             Ok::<checks::CheckResult<ItemWrapper, Vec<ItemWrapper>>, PyErr>(
                 checks::CheckResult::new(status, message, items, can_fix, can_skip, None),
             )
-        }) {
+        });
+        match result {
             Ok(result) => result,
             Err(err) => checks::CheckResult::new(
                 checks::Status::SystemError,