diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 922ff1d..7fd93bb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,5 +1,8 @@ name: CI +permissions: + contents: read + on: push: branches: [main] @@ -28,7 +31,9 @@ jobs: os: ["ubuntu-latest"] rust: ["stable", "1.76"] # MSRV steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable - uses: Swatinem/rust-cache@v2 # Only run tests on latest stable and above @@ -44,7 +49,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable with: targets: wasm32-unknown-unknown @@ -58,7 +65,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@stable - uses: taiki-e/install-action@cargo-hack - uses: Swatinem/rust-cache@v2 @@ -71,7 +80,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@clippy - uses: Swatinem/rust-cache@v2 with: @@ -84,7 +95,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@nightly - uses: Swatinem/rust-cache@v2 with: @@ -97,7 +110,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 30 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 + with: + persist-credentials: false - uses: dtolnay/rust-toolchain@nightly with: components: rustfmt @@ -109,6 +124,7 @@ jobs: ci-success: runs-on: ubuntu-latest if: always() + permissions: {} needs: - test - wasm