[StepSecurity] ci: Harden GitHub Actions (#8209)

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-10-26 08:42:29 +01:00 · 2023-11-26 22:37:19 -08:00 · 2023-11-26 22:37:19 -08:00 · f0b757e91e
commit f0b757e91e
parent 5c7e4b7edc
4 changed files with 12 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -23,6 +23,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ubuntu-22.04
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -23,6 +23,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  build:
    if: github.repository == 'apache/cloudstack'
--- a/.github/workflows/rat.yml
+++ b/.github/workflows/rat.yml
@ -23,6 +23,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ubuntu-22.04
--- a/.github/workflows/ui.yml
+++ b/.github/workflows/ui.yml
@ -23,6 +23,9 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  build:
    runs-on: ubuntu-22.04