patch 9.0.0593: CI actions have too many permissions
Problem: CI actions have too many permissions.
Solution: Restrict permissions to what is required. (closes #11223)
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 6c1b359..c988949 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,6 +12,9 @@
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
+permissions:
+ contents: read # to fetch code (actions/checkout)
+
jobs:
linux:
runs-on: ubuntu-20.04
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index efb9e66..efd91a4 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -21,8 +21,15 @@
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
+permissions:
+ contents: read # to fetch code (actions/checkout)
+
jobs:
analyze:
+ permissions:
+ contents: read # to fetch code (actions/checkout)
+ security-events: write # (github/codeql-action/autobuild)
+
name: Analyze
runs-on: ubuntu-latest
diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml
index ce21ab2..9cbd34b 100644
--- a/.github/workflows/coverity.yml
+++ b/.github/workflows/coverity.yml
@@ -4,6 +4,9 @@
- cron: '42 0 * * *' # Run once per day, to avoid Coverity's submission limits
workflow_dispatch:
+permissions:
+ contents: read # to fetch code (actions/checkout)
+
jobs:
scan:
runs-on: ubuntu-20.04
diff --git a/src/version.c b/src/version.c
index ab4cea3..8f503f2 100644
--- a/src/version.c
+++ b/src/version.c
@@ -700,6 +700,8 @@
static int included_patches[] =
{ /* Add new patch number below this line */
/**/
+ 593,
+/**/
592,
/**/
591,