From db83104d0d798a7f92bb2db3918358929aad5d22 Mon Sep 17 00:00:00 2001 From: Hubert Bugaj Date: Wed, 1 Apr 2026 15:32:19 +0200 Subject: [PATCH 1/3] chore: random CI improvements --- .../CARGO_PUBLISH_DRY_RUN_ISSUE_TEMPLATE.md | 8 +++ .github/workflows/cargo-publish-dry-run.yml | 47 +++++++++++++++++ .github/workflows/coverage.yml | 10 ++++ .github/workflows/docker.yml | 18 ++----- .github/workflows/forest.yml | 50 ------------------- .github/workflows/unit-tests.yml | 14 ++++-- 6 files changed, 80 insertions(+), 67 deletions(-) create mode 100644 .github/CARGO_PUBLISH_DRY_RUN_ISSUE_TEMPLATE.md create mode 100644 .github/workflows/cargo-publish-dry-run.yml diff --git a/.github/CARGO_PUBLISH_DRY_RUN_ISSUE_TEMPLATE.md b/.github/CARGO_PUBLISH_DRY_RUN_ISSUE_TEMPLATE.md new file mode 100644 index 000000000000..d18529deed3a --- /dev/null +++ b/.github/CARGO_PUBLISH_DRY_RUN_ISSUE_TEMPLATE.md @@ -0,0 +1,8 @@ +--- +title: "[automated] `cargo publish --dry-run` failure @ {{ date | date('D/M/YY HH:mm') }}" +labels: ["Bug"] +--- + +## Description + +Please [check the logs]({{ env.WORKFLOW_URL }}) for more information. diff --git a/.github/workflows/cargo-publish-dry-run.yml b/.github/workflows/cargo-publish-dry-run.yml new file mode 100644 index 000000000000..19ab5c635177 --- /dev/null +++ b/.github/workflows/cargo-publish-dry-run.yml @@ -0,0 +1,47 @@ +name: cargo publish dry run +on: + workflow_dispatch: + schedule: + - cron: "0 0 * * *" + +env: + CI: 1 + CACHE_TIMEOUT_MINUTES: 5 + AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}" + AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}" + RUSTC_WRAPPER: sccache + CC: sccache clang + CXX: sccache clang++ + +jobs: + cargo-publish-dry-run: + runs-on: ubuntu-24.04 + steps: + - name: Configure SCCache variables + run: | + # External PRs do not have access to 'vars' or 'secrets'. + if [[ "${{secrets.AWS_ACCESS_KEY_ID}}" != "" ]]; then + echo "SCCACHE_ENDPOINT=${{ vars.SCCACHE_ENDPOINT}}" >> $GITHUB_ENV + echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV + echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV + fi + - name: Checkout Sources + uses: actions/checkout@v6 + - name: Setup sccache + uses: mozilla-actions/sccache-action@v0.0.9 + timeout-minutes: ${{ fromJSON(env.CACHE_TIMEOUT_MINUTES) }} + continue-on-error: true + - uses: jdx/mise-action@v4 + - run: cargo publish --dry-run + - name: Set WORKFLOW_URL + if: failure() + run: | + export WORKFLOW_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" + echo ${WORKFLOW_URL} + echo "WORKFLOW_URL=${WORKFLOW_URL}" >> $GITHUB_ENV + - uses: JasonEtco/create-an-issue@v2 + if: failure() + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + filename: .github/CARGO_PUBLISH_DRY_RUN_ISSUE_TEMPLATE.md diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 3f7240523ce6..5f1522dcbbc9 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -50,6 +50,16 @@ jobs: - uses: actions/checkout@v6 - uses: jdx/mise-action@v4 - uses: taiki-e/install-action@cargo-llvm-cov + - uses: actions/cache@v5 + id: cache-proof-params + with: + path: ${{ env.FIL_PROOFS_PARAMETER_CACHE }} + key: proof-params-keys + - uses: actions/cache@v5 + id: cache-actor-bundle + with: + path: ${{ env.FOREST_ACTOR_BUNDLE_PATH }} + key: actor-bundle - name: Fetch proof params and RPC test snapshots run: | cargo run --bin forest-dev --no-default-features --profile quick -- fetch-test-snapshots --actor-bundle $FOREST_ACTOR_BUNDLE_PATH diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index e498944f35e0..b44ff2265da4 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -50,10 +50,6 @@ jobs: echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV fi - - run: lscpu - - name: Show IP - run: curl ifconfig.me - continue-on-error: true - name: Checkout Sources uses: actions/checkout@v6 - name: Setup sccache @@ -65,7 +61,7 @@ jobs: env: # To minimize compile times: https://nnethercote.github.io/perf-book/build-configuration.html#minimizing-compile-times RUSTFLAGS: "-C linker=clang -C link-arg=-fuse-ld=lld" - run: mise run install release + run: mise run install ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && 'release' || 'quick' }} - uses: actions/upload-artifact@v7 with: name: "forest-linux-amd64" @@ -90,11 +86,6 @@ jobs: echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV fi echo "SCCACHE_S3_KEY_PREFIX=aarch64" >> $GITHUB_ENV - - run: lscpu - - run: vmstat -s - - name: Show IP - run: curl ifconfig.me - continue-on-error: true - name: Checkout Sources uses: actions/checkout@v6 if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') @@ -196,6 +187,7 @@ jobs: # - date+sha, e.g. 2023-01-19-da4692d, # - tag (if pushed). - name: Docker Meta + if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') id: meta uses: docker/metadata-action@v6 with: @@ -208,13 +200,13 @@ jobs: type=edge - name: Build slim image and push to GitHub Container Registry + if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') uses: docker/build-push-action@v7 with: context: /tmp/forest file: ./Dockerfile-ci tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - push: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }} - # Compile Docker image only for AMD64 for a regular PR to save some CI time. - platforms: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && 'linux/amd64,linux/arm64' || 'linux/amd64' }} + push: true + platforms: linux/amd64,linux/arm64 target: slim-image diff --git a/.github/workflows/forest.yml b/.github/workflows/forest.yml index 2bfc277c960a..6b620aa3f8ef 100644 --- a/.github/workflows/forest.yml +++ b/.github/workflows/forest.yml @@ -74,10 +74,6 @@ jobs: echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV fi - - run: lscpu - - name: Show IP - run: curl ifconfig.me - continue-on-error: true - name: Checkout Sources uses: actions/checkout@v6 - name: Setup sccache @@ -103,24 +99,12 @@ jobs: path: | ~/.cargo/bin/forest* if-no-files-found: error - cargo-publish-dry-run: - runs-on: ubuntu-24.04 - steps: - - name: Checkout Sources - uses: actions/checkout@v6 - - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.9 - timeout-minutes: ${{ fromJSON(env.CACHE_TIMEOUT_MINUTES) }} - continue-on-error: true - - uses: jdx/mise-action@v4 - - run: cargo publish --dry-run forest-cli-check: needs: - build-ubuntu name: Forest CLI checks runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: ${{ env.FIL_PROOFS_PARAMETER_CACHE }} @@ -142,16 +126,11 @@ jobs: name: Calibnet check runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" key: proof-params-keys - uses: actions/checkout@v6 - - uses: actions/download-artifact@v8 - with: - name: "forest-${{ runner.os }}" - path: ~/.cargo/bin - uses: actions/download-artifact@v8 with: name: "forest-${{ runner.os }}" @@ -178,7 +157,6 @@ jobs: name: Calibnet stateless mode check runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -189,10 +167,6 @@ jobs: with: name: "forest-${{ runner.os }}" path: ~/.cargo/bin - - uses: actions/download-artifact@v8 - with: - name: "forest-${{ runner.os }}" - path: ~/.cargo/bin - name: Set permissions run: | chmod +x ~/.cargo/bin/forest* @@ -204,7 +178,6 @@ jobs: name: Calibnet stateless RPC check runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -215,10 +188,6 @@ jobs: with: name: "forest-${{ runner.os }}" path: ~/.cargo/bin - - uses: actions/download-artifact@v8 - with: - name: "forest-${{ runner.os }}" - path: ~/.cargo/bin - name: Set permissions run: | chmod +x ~/.cargo/bin/forest* @@ -230,7 +199,6 @@ jobs: name: State migrations runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -252,7 +220,6 @@ jobs: name: Wallet tests runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -281,7 +248,6 @@ jobs: name: Delegated wallet tests runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -309,7 +275,6 @@ jobs: name: V1 snapshot export checks runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -331,7 +296,6 @@ jobs: name: V2 snapshot export checks runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -353,7 +317,6 @@ jobs: name: Diff snapshot export checks runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -375,7 +338,6 @@ jobs: name: Calibnet no discovery checks runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -396,7 +358,6 @@ jobs: name: Calibnet kademlia checks runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -417,7 +378,6 @@ jobs: name: Calibnet eth mapping check runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -428,10 +388,6 @@ jobs: with: name: "forest-${{ runner.os }}" path: ~/.cargo/bin - - uses: actions/download-artifact@v8 - with: - name: "forest-${{ runner.os }}" - path: ~/.cargo/bin - name: Set permissions run: | chmod +x ~/.cargo/bin/forest* @@ -447,7 +403,6 @@ jobs: name: Calibnet api test-stateful check runs-on: ubuntu-24.04 steps: - - run: lscpu - uses: actions/cache@v5 with: path: "${{ env.FIL_PROOFS_PARAMETER_CACHE }}" @@ -458,10 +413,6 @@ jobs: with: name: "forest-${{ runner.os }}" path: ~/.cargo/bin - - uses: actions/download-artifact@v8 - with: - name: "forest-${{ runner.os }}" - path: ~/.cargo/bin - name: Set permissions run: | chmod +x ~/.cargo/bin/forest* @@ -668,7 +619,6 @@ jobs: needs: - build-macos - build-ubuntu - - cargo-publish-dry-run - forest-cli-check - calibnet-check - calibnet-stateless-mode-check diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 5db900a3b432..26d07e4d5141 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -56,10 +56,6 @@ jobs: echo "SCCACHE_BUCKET=${{ vars.SCCACHE_BUCKET}}" >> $GITHUB_ENV echo "SCCACHE_REGION=${{ vars.SCCACHE_REGION}}" >> $GITHUB_ENV fi - # find the nearest S3 space for storing cache files - - name: Show IP - run: curl ifconfig.me - continue-on-error: true - name: Checkout Sources uses: actions/checkout@v6 - name: Setup sccache @@ -72,6 +68,16 @@ jobs: cache-dependency-path: "**/go.sum" - name: install nextest uses: taiki-e/install-action@nextest + - uses: actions/cache@v5 + id: cache-proof-params + with: + path: ${{ env.FIL_PROOFS_PARAMETER_CACHE }} + key: proof-params-keys + - uses: actions/cache@v5 + id: cache-actor-bundle + with: + path: ${{ env.FOREST_ACTOR_BUNDLE_PATH }} + key: actor-bundle - name: Fetch proof params and RPC test snapshots run: | cargo run --bin forest-dev --no-default-features --profile quick-test -- fetch-test-snapshots --actor-bundle $FOREST_ACTOR_BUNDLE_PATH From a4d5684af521292ff959f128d37cd21943d0ef75 Mon Sep 17 00:00:00 2001 From: Hubert Date: Wed, 1 Apr 2026 15:37:45 +0200 Subject: [PATCH 2/3] Update .github/workflows/cargo-publish-dry-run.yml Co-authored-by: hanabi1224 --- .github/workflows/cargo-publish-dry-run.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cargo-publish-dry-run.yml b/.github/workflows/cargo-publish-dry-run.yml index 19ab5c635177..571ad1c0f513 100644 --- a/.github/workflows/cargo-publish-dry-run.yml +++ b/.github/workflows/cargo-publish-dry-run.yml @@ -15,7 +15,7 @@ env: jobs: cargo-publish-dry-run: - runs-on: ubuntu-24.04 + runs-on: ubuntu-24.04-arm steps: - name: Configure SCCache variables run: | From 111d22d92c01acf0484cf10dd13643854be44d92 Mon Sep 17 00:00:00 2001 From: Hubert Bugaj Date: Wed, 1 Apr 2026 16:00:24 +0200 Subject: [PATCH 3/3] chore: add explicit permissions to workflows --- .github/workflows/butterflynet.yml | 2 ++ .github/workflows/cargo-advisories.yml | 3 +++ .github/workflows/cargo-publish-dry-run.yml | 3 +++ .github/workflows/checkpoints.yml | 2 ++ .github/workflows/coverage.yml | 2 ++ .github/workflows/curio-devnet-publish.yml | 3 +++ .github/workflows/docker-dev.yml | 3 +++ .github/workflows/docker-latest-tag.yml | 3 +++ .github/workflows/docker-lint.yml | 2 ++ .github/workflows/docker.yml | 3 +++ .github/workflows/dockerfile-check.yml | 3 +++ .github/workflows/docs-auto-update.yml | 2 ++ .github/workflows/docs-check.yml | 2 ++ .github/workflows/docs-required-override.yml | 2 ++ .github/workflows/docs-rpc-auto-update.yml | 2 ++ .github/workflows/forest.yml | 3 +++ .github/workflows/link-check.yml | 2 ++ .github/workflows/lists-lint.yml | 2 ++ .github/workflows/lotus-api-bump.yml | 2 ++ .github/workflows/lotus-devnet-publish.yml | 3 +++ .github/workflows/python-lint.yml | 2 ++ .github/workflows/release.yml | 4 ++++ .github/workflows/release_dispatch.yml | 4 ++++ .github/workflows/rpc-parity-report.yml | 4 ++++ .github/workflows/rpc-parity.yml | 3 +++ .github/workflows/rubocop.yml | 2 ++ .github/workflows/rust-lint.yml | 2 ++ .github/workflows/shellcheck.yml | 2 ++ .github/workflows/snapshot-parity.yml | 3 +++ .github/workflows/this-month-in-forest-reminder.yml | 3 +++ .github/workflows/unit-tests.yml | 2 ++ .github/workflows/yaml-lint.yml | 2 ++ 32 files changed, 82 insertions(+) diff --git a/.github/workflows/butterflynet.yml b/.github/workflows/butterflynet.yml index 9da7aec542d3..b39f3ab74937 100644 --- a/.github/workflows/butterflynet.yml +++ b/.github/workflows/butterflynet.yml @@ -1,4 +1,6 @@ name: Butterflynet checks +permissions: + contents: read on: workflow_dispatch: env: diff --git a/.github/workflows/cargo-advisories.yml b/.github/workflows/cargo-advisories.yml index 58fc2fcf7b9c..a130ac4a804f 100644 --- a/.github/workflows/cargo-advisories.yml +++ b/.github/workflows/cargo-advisories.yml @@ -1,4 +1,7 @@ name: cargo deny advisories +permissions: + contents: read + issues: write on: workflow_dispatch: schedule: diff --git a/.github/workflows/cargo-publish-dry-run.yml b/.github/workflows/cargo-publish-dry-run.yml index 571ad1c0f513..5b11e6bd46c1 100644 --- a/.github/workflows/cargo-publish-dry-run.yml +++ b/.github/workflows/cargo-publish-dry-run.yml @@ -1,4 +1,7 @@ name: cargo publish dry run +permissions: + contents: read + issues: write on: workflow_dispatch: schedule: diff --git a/.github/workflows/checkpoints.yml b/.github/workflows/checkpoints.yml index ff3b7c59109a..40829ea1c46b 100644 --- a/.github/workflows/checkpoints.yml +++ b/.github/workflows/checkpoints.yml @@ -1,4 +1,6 @@ name: Checkpoints Auto Update +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 5f1522dcbbc9..dbdd3a77aa77 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -1,4 +1,6 @@ name: Code coverage +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/curio-devnet-publish.yml b/.github/workflows/curio-devnet-publish.yml index b019e06cc626..9f7b8685ee8a 100644 --- a/.github/workflows/curio-devnet-publish.yml +++ b/.github/workflows/curio-devnet-publish.yml @@ -1,4 +1,7 @@ name: Curio devnet image +permissions: + contents: read + packages: write # Only build and publish this image on demand. # The compilation adds significant overhead to the CI and it is not supposed diff --git a/.github/workflows/docker-dev.yml b/.github/workflows/docker-dev.yml index a17b1b924e3d..ec977bcf9ee6 100644 --- a/.github/workflows/docker-dev.yml +++ b/.github/workflows/docker-dev.yml @@ -1,4 +1,7 @@ name: Build Dev Docker Image +permissions: + contents: read + packages: write concurrency: group: ${{ github.workflow }}-${{ inputs.git_ref }} diff --git a/.github/workflows/docker-latest-tag.yml b/.github/workflows/docker-latest-tag.yml index d28392466c1c..9aa8f997b2e9 100644 --- a/.github/workflows/docker-latest-tag.yml +++ b/.github/workflows/docker-latest-tag.yml @@ -1,6 +1,9 @@ # Re-tag the given image and push it to the ghcr.io # Preserves the old tag. name: Docker Latest tag +permissions: + contents: read + packages: write on: workflow_dispatch: diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index e003f0d40cf9..594bd4c51c56 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -1,4 +1,6 @@ name: Docker lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index b44ff2265da4..dced3f98ede5 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,4 +1,7 @@ name: Forest Docker +permissions: + contents: read + packages: write # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/dockerfile-check.yml b/.github/workflows/dockerfile-check.yml index 6f1727f090c5..dcafe66e5252 100644 --- a/.github/workflows/dockerfile-check.yml +++ b/.github/workflows/dockerfile-check.yml @@ -1,5 +1,8 @@ # Checks periodically that the Dockerfile builds successfully, and if it doesn't, it creates an issue with the error message. name: Dockerfile Check +permissions: + contents: read + issues: write on: workflow_dispatch: diff --git a/.github/workflows/docs-auto-update.yml b/.github/workflows/docs-auto-update.yml index d18009214d4d..1d7bf11f5f19 100644 --- a/.github/workflows/docs-auto-update.yml +++ b/.github/workflows/docs-auto-update.yml @@ -1,5 +1,7 @@ # This workflows, run daily, updates the Forest CLI usage docs, and submits a PR with the changes. name: Update Forest usage docs +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/docs-check.yml b/.github/workflows/docs-check.yml index d9ff2a1b0545..bec88d10f74a 100644 --- a/.github/workflows/docs-check.yml +++ b/.github/workflows/docs-check.yml @@ -1,4 +1,6 @@ name: Docs Check +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/docs-required-override.yml b/.github/workflows/docs-required-override.yml index b10ed6d54d1f..a523aab5235b 100644 --- a/.github/workflows/docs-required-override.yml +++ b/.github/workflows/docs-required-override.yml @@ -2,6 +2,8 @@ # We check that changes affect only the documentation and that no other changes are present. If this is the case, we trigger the no-op jobs. name: Docs Required Override +permissions: + contents: read concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: "${{ github.ref != 'refs/heads/main' }}" diff --git a/.github/workflows/docs-rpc-auto-update.yml b/.github/workflows/docs-rpc-auto-update.yml index e8a5922eb383..260cc7beaa64 100644 --- a/.github/workflows/docs-rpc-auto-update.yml +++ b/.github/workflows/docs-rpc-auto-update.yml @@ -1,5 +1,7 @@ # This workflow, run daily, updates the Forest RPC reference docs, and submits a PR with the changes. name: Update Forest RPC reference docs +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/forest.yml b/.github/workflows/forest.yml index 6b620aa3f8ef..8090d0fa0fea 100644 --- a/.github/workflows/forest.yml +++ b/.github/workflows/forest.yml @@ -1,4 +1,7 @@ name: Integration tests +permissions: + contents: read + issues: write concurrency: group: "${{ github.workflow }}-${{ github.ref }}" cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} diff --git a/.github/workflows/link-check.yml b/.github/workflows/link-check.yml index 00b1aea5193b..510c6907feb5 100644 --- a/.github/workflows/link-check.yml +++ b/.github/workflows/link-check.yml @@ -1,4 +1,6 @@ name: Link Checker +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/lists-lint.yml b/.github/workflows/lists-lint.yml index 9fd82a538b29..fa300cf5061c 100644 --- a/.github/workflows/lists-lint.yml +++ b/.github/workflows/lists-lint.yml @@ -1,4 +1,6 @@ name: Lists lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/lotus-api-bump.yml b/.github/workflows/lotus-api-bump.yml index 1c71ea8eb928..e3db28aa7f31 100644 --- a/.github/workflows/lotus-api-bump.yml +++ b/.github/workflows/lotus-api-bump.yml @@ -1,6 +1,8 @@ # This workflows, run daily, updates the Lotus version in the JSON-RPC API tests to the latest release, # and submits a PR with the changes. name: Update Lotus version in API tests +permissions: + contents: read on: workflow_dispatch: diff --git a/.github/workflows/lotus-devnet-publish.yml b/.github/workflows/lotus-devnet-publish.yml index 1f8aed8df191..29d84557205d 100644 --- a/.github/workflows/lotus-devnet-publish.yml +++ b/.github/workflows/lotus-devnet-publish.yml @@ -1,4 +1,7 @@ name: Lotus devnet image +permissions: + contents: read + packages: write # Only build and publish this image on demand. # The compilation adds significant overhead to the CI and it is not supposed diff --git a/.github/workflows/python-lint.yml b/.github/workflows/python-lint.yml index 01e0dbcf595c..b0f4b6ec6020 100644 --- a/.github/workflows/python-lint.yml +++ b/.github/workflows/python-lint.yml @@ -1,4 +1,6 @@ name: Python lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 41a3b66eed30..6be2770ffc03 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,8 @@ on: jobs: build: name: Build + permissions: + contents: write runs-on: ${{ matrix.os }} strategy: matrix: @@ -55,6 +57,8 @@ jobs: publish: name: cargo publish + permissions: + contents: read runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/release_dispatch.yml b/.github/workflows/release_dispatch.yml index 8ba835dc265b..3c1b4d48302d 100644 --- a/.github/workflows/release_dispatch.yml +++ b/.github/workflows/release_dispatch.yml @@ -12,6 +12,8 @@ on: jobs: build: name: Build + permissions: + contents: write runs-on: ${{ matrix.os }} strategy: matrix: @@ -58,6 +60,8 @@ jobs: prerelease: true publish: name: cargo publish + permissions: + contents: read runs-on: ubuntu-24.04-arm steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/rpc-parity-report.yml b/.github/workflows/rpc-parity-report.yml index 5135c717e4ef..f08b8f77c167 100644 --- a/.github/workflows/rpc-parity-report.yml +++ b/.github/workflows/rpc-parity-report.yml @@ -1,4 +1,8 @@ name: RPC parity conformance report +permissions: + contents: write + issues: write + pull-requests: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/rpc-parity.yml b/.github/workflows/rpc-parity.yml index 132cc320bc09..492c29b7e010 100644 --- a/.github/workflows/rpc-parity.yml +++ b/.github/workflows/rpc-parity.yml @@ -1,4 +1,7 @@ name: RPC parity tests +permissions: + contents: read + issues: write on: workflow_dispatch: inputs: diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml index 65725163c5b7..97c1687cf4c9 100644 --- a/.github/workflows/rubocop.yml +++ b/.github/workflows/rubocop.yml @@ -1,4 +1,6 @@ name: Rubocop +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/rust-lint.yml b/.github/workflows/rust-lint.yml index c7b774ef3f12..4ef9517bfa20 100644 --- a/.github/workflows/rust-lint.yml +++ b/.github/workflows/rust-lint.yml @@ -1,4 +1,6 @@ name: Rust code linters +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 60787833a02f..643df4cc80d5 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -1,4 +1,6 @@ name: Shellcheck +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/snapshot-parity.yml b/.github/workflows/snapshot-parity.yml index d9c8ff544bf3..d88ad840eac0 100644 --- a/.github/workflows/snapshot-parity.yml +++ b/.github/workflows/snapshot-parity.yml @@ -1,4 +1,7 @@ name: Snapshot parity test +permissions: + contents: read + issues: write on: workflow_dispatch: schedule: diff --git a/.github/workflows/this-month-in-forest-reminder.yml b/.github/workflows/this-month-in-forest-reminder.yml index 0979f9ceefe7..2efc89cf1d8e 100644 --- a/.github/workflows/this-month-in-forest-reminder.yml +++ b/.github/workflows/this-month-in-forest-reminder.yml @@ -1,4 +1,7 @@ name: This Month in Forest Reminder +permissions: + contents: read + issues: write on: workflow_dispatch: diff --git a/.github/workflows/unit-tests.yml b/.github/workflows/unit-tests.yml index 26d07e4d5141..4f13930c0dfd 100644 --- a/.github/workflows/unit-tests.yml +++ b/.github/workflows/unit-tests.yml @@ -1,4 +1,6 @@ name: Unit tests +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: diff --git a/.github/workflows/yaml-lint.yml b/.github/workflows/yaml-lint.yml index 3359666372a7..043b9c815e24 100644 --- a/.github/workflows/yaml-lint.yml +++ b/.github/workflows/yaml-lint.yml @@ -1,4 +1,6 @@ name: YAML lint +permissions: + contents: read # Cancel workflow if there is a new change to the branch. concurrency: