fix: ci token permissions for pr push

- fix: ci token permissions for pr push - fix: concurrency for ci push jobs Fixes and closes #114 https://github.com/sgammon/rules_graalvm/security/code-scanning/42 Signed-off-by: Sam Gammon <sam@elide.ventures>
sgammon · Sep 8, 2023 · 1fa60fe · 1fa60fe
1 parent c4c02a1
commit 1fa60fe
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/.github/workflows/on.pr.yml b/.github/workflows/on.pr.yml
@@ -19,6 +19,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   dependency-graph:
     name: "Dependency Graph"

diff --git a/.github/workflows/on.push.yml b/.github/workflows/on.push.yml
@@ -15,6 +15,11 @@ name: "CI"
       - "*.bzl"
       - "*.bazel"
 
+concurrency:
+  # Cancel previous actions from the same PR: https://stackoverflow.com/a/72408109
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   dependency-graph:
     name: "Dependency Graph"