ageng/yt-dlp
1
0
Fork 0
mirror of https://github.com/yt-dlp/yt-dlp synced 2025-12-21 00:25:42 +07:00
Code Issues Projects Releases Wiki Activity

[ci] Explicitly declare permissions and limit credentials (#15324)

Browse Source 
Authored by: bashonly
This commit is contained in:
bashonly
2025-12-19 13:22:23 -06:00
committed by GitHub
parent 825648a740
commit a6a8f6b6d6
13 changed files with 96 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/build.yml vendored
View File

@@ -74,8 +74,7 @@ on:
default: true default: true
type: boolean type: boolean
permissions: permissions: {}
contents: read
jobs: jobs:
process: process:
@@ -186,8 +185,10 @@ jobs:
f.write(f'matrix={json.dumps(matrix)}') f.write(f'matrix={json.dumps(matrix)}')
unix: unix:
needs: process needs: [process]
if: inputs.unix if: inputs.unix
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
env: env:
CHANNEL: ${{ inputs.channel }} CHANNEL: ${{ inputs.channel }}
@@ -199,6 +200,7 @@ jobs:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 # Needed for changelog fetch-depth: 0 # Needed for changelog
persist-credentials: false
- uses: actions/setup-python@v6 - uses: actions/setup-python@v6
with: with:
@@ -239,8 +241,10 @@ jobs:
linux: linux:
name: ${{ matrix.os }} (${{ matrix.arch }}) name: ${{ matrix.os }} (${{ matrix.arch }})
needs: [process]
if: inputs.linux || inputs.linux_armv7l || inputs.musllinux if: inputs.linux || inputs.linux_armv7l || inputs.musllinux
needs: process permissions:
contents: read
runs-on: ${{ matrix.runner }} runs-on: ${{ matrix.runner }}
strategy: strategy:
fail-fast: false fail-fast: false
@@ -258,6 +262,8 @@ jobs:
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- name: Cache requirements - name: Cache requirements
if: matrix.cache_requirements if: matrix.cache_requirements
@@ -308,7 +314,7 @@ jobs:
compression-level: 0 compression-level: 0
macos: macos:
needs: process needs: [process]
if: inputs.macos if: inputs.macos
permissions: permissions:
contents: read contents: read
@@ -321,6 +327,9 @@ jobs:
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
# NB: Building universal2 does not work with python from actions/setup-python # NB: Building universal2 does not work with python from actions/setup-python
- name: Cache requirements - name: Cache requirements
@@ -409,7 +418,7 @@ jobs:
windows: windows:
name: windows (${{ matrix.arch }}) name: windows (${{ matrix.arch }})
needs: process needs: [process]
if: inputs.windows if: inputs.windows
permissions: permissions:
contents: read contents: read
@@ -451,6 +460,9 @@ jobs:
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions/setup-python@v6 - uses: actions/setup-python@v6
with: with:
python-version: ${{ matrix.python_version }} python-version: ${{ matrix.python_version }}
@@ -528,13 +540,13 @@ jobs:
compression-level: 0 compression-level: 0
meta_files: meta_files:
if: always() && !cancelled()
needs: needs:
- process - process
- unix - unix
- linux - linux
- macos - macos
- windows - windows
if: always() && !failure() && !cancelled()
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Download artifacts - name: Download artifacts
@@ -600,7 +612,7 @@ jobs:
GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
if: env.GPG_SIGNING_KEY if: env.GPG_SIGNING_KEY
run: | run: |
gpg --batch --import <<< "${{ secrets.GPG_SIGNING_KEY }}" gpg --batch --import <<< "${GPG_SIGNING_KEY}"
for signfile in ./SHA*SUMS; do for signfile in ./SHA*SUMS; do
gpg --batch --detach-sign "$signfile" gpg --batch --detach-sign "$signfile"
done done

6
.github/workflows/cache-warmer.yml vendored
View File

@@ -4,10 +4,14 @@ on:
schedule: schedule:
- cron: '0 22 1,6,11,16,21,27 * *' - cron: '0 22 1,6,11,16,21,27 * *'
permissions: {}
jobs: jobs:
build: build:
if: | if: |
vars.KEEP_CACHE_WARM || github.event_name == 'workflow_dispatch' vars.KEEP_CACHE_WARM || github.event_name == 'workflow_dispatch'
permissions:
contents: read
uses: ./.github/workflows/build.yml uses: ./.github/workflows/build.yml
with: with:
version: '999999' version: '999999'
@@ -19,5 +23,3 @@ jobs:
musllinux: false musllinux: false
macos: true macos: true
windows: true windows: true
permissions:
contents: read

8
.github/workflows/challenge-tests.yml vendored
View File

@@ -16,8 +16,8 @@ on:
- yt_dlp/extractor/youtube/jsc/**.py - yt_dlp/extractor/youtube/jsc/**.py
- yt_dlp/extractor/youtube/pot/**.py - yt_dlp/extractor/youtube/pot/**.py
- yt_dlp/utils/_jsruntime.py - yt_dlp/utils/_jsruntime.py
permissions:
contents: read permissions: {}
concurrency: concurrency:
group: challenge-tests-${{ github.event.pull_request.number || github.ref }} group: challenge-tests-${{ github.event.pull_request.number || github.ref }}
@@ -26,6 +26,8 @@ concurrency:
jobs: jobs:
tests: tests:
name: Challenge Tests name: Challenge Tests
permissions:
contents: read
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
fail-fast: false fail-fast: false
@@ -36,6 +38,8 @@ jobs:
QJS_VERSION: '2025-04-26' # Earliest version with rope strings QJS_VERSION: '2025-04-26' # Earliest version with rope strings
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} - name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:

4
.github/workflows/codeql.yml vendored
View File

@@ -9,6 +9,8 @@ on:
schedule: schedule:
- cron: '59 11 * * 5' - cron: '59 11 * * 5'
permissions: {}
jobs: jobs:
analyze: analyze:
name: Analyze (${{ matrix.language }}) name: Analyze (${{ matrix.language }})
@@ -26,6 +28,8 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v6 uses: actions/checkout@v6
with:
persist-credentials: false
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@v4 uses: github/codeql-action/init@v4

7
.github/workflows/core.yml vendored
View File

@@ -22,8 +22,8 @@ on:
- yt_dlp/extractor/__init__.py - yt_dlp/extractor/__init__.py
- yt_dlp/extractor/common.py - yt_dlp/extractor/common.py
- yt_dlp/extractor/extractors.py - yt_dlp/extractor/extractors.py
permissions:
contents: read permissions: {}
concurrency: concurrency:
group: core-${{ github.event.pull_request.number || github.ref }} group: core-${{ github.event.pull_request.number || github.ref }}
@@ -33,6 +33,8 @@ jobs:
tests: tests:
name: Core Tests name: Core Tests
if: "!contains(github.event.head_commit.message, 'ci skip')" if: "!contains(github.event.head_commit.message, 'ci skip')"
permissions:
contents: read
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
fail-fast: false fail-fast: false
@@ -58,6 +60,7 @@ jobs:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} - name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:

12
.github/workflows/download.yml vendored
View File

@@ -1,15 +1,19 @@
name: Download Tests name: Download Tests
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read permissions: {}
jobs: jobs:
quick: quick:
name: Quick Download Tests name: Quick Download Tests
if: "contains(github.event.head_commit.message, 'ci run dl')" if: "contains(github.event.head_commit.message, 'ci run dl')"
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Python - name: Set up Python
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:
@@ -23,6 +27,8 @@ jobs:
full: full:
name: Full Download Tests name: Full Download Tests
if: "contains(github.event.head_commit.message, 'ci run dl all')" if: "contains(github.event.head_commit.message, 'ci run dl all')"
permissions:
contents: read
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
strategy: strategy:
fail-fast: true fail-fast: true
@@ -37,6 +43,8 @@ jobs:
python-version: pypy-3.11 python-version: pypy-3.11
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }} - name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:

5
.github/workflows/issue-lockdown.yml vendored
View File

@@ -3,13 +3,14 @@ on:
issues: issues:
types: [opened] types: [opened]
permissions: permissions: {}
issues: write
jobs: jobs:
lockdown: lockdown:
name: Issue Lockdown name: Issue Lockdown
if: vars.ISSUE_LOCKDOWN if: vars.ISSUE_LOCKDOWN
permissions:
issues: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: "Lock new issue" - name: "Lock new issue"

12
.github/workflows/quick-test.yml vendored
View File

@@ -1,15 +1,19 @@
name: Quick Test name: Quick Test
on: [push, pull_request] on: [push, pull_request]
permissions:
contents: read permissions: {}
jobs: jobs:
tests: tests:
name: Core Test name: Core Test
if: "!contains(github.event.head_commit.message, 'ci skip all')" if: "!contains(github.event.head_commit.message, 'ci skip all')"
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- name: Set up Python 3.10 - name: Set up Python 3.10
uses: actions/setup-python@v6 uses: actions/setup-python@v6
with: with:
@@ -24,9 +28,13 @@ jobs:
check: check:
name: Code check name: Code check
if: "!contains(github.event.head_commit.message, 'ci skip all')" if: "!contains(github.event.head_commit.message, 'ci skip all')"
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions/setup-python@v6 - uses: actions/setup-python@v6
with: with:
python-version: '3.10' python-version: '3.10'

12
.github/workflows/release-master.yml vendored
View File

@@ -14,28 +14,28 @@ on:
- ".github/workflows/release-master.yml" - ".github/workflows/release-master.yml"
concurrency: concurrency:
group: release-master group: release-master
permissions:
contents: read permissions: {}
jobs: jobs:
release: release:
if: vars.BUILD_MASTER if: vars.BUILD_MASTER
permissions:
contents: write
id-token: write # mandatory for trusted publishing
uses: ./.github/workflows/release.yml uses: ./.github/workflows/release.yml
with: with:
prerelease: true prerelease: true
source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.MASTER_ARCHIVE_REPO) || 'master' }} source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.MASTER_ARCHIVE_REPO) || 'master' }}
target: 'master' target: 'master'
permissions:
contents: write
id-token: write # mandatory for trusted publishing
secrets: inherit secrets: inherit
publish_pypi: publish_pypi:
needs: [release] needs: [release]
if: vars.MASTER_PYPI_PROJECT if: vars.MASTER_PYPI_PROJECT
runs-on: ubuntu-latest
permissions: permissions:
id-token: write # mandatory for trusted publishing id-token: write # mandatory for trusted publishing
runs-on: ubuntu-latest
steps: steps:
- name: Download artifacts - name: Download artifacts
uses: actions/download-artifact@v7 uses: actions/download-artifact@v7

15
.github/workflows/release-nightly.yml vendored
View File

@@ -2,12 +2,14 @@ name: Release (nightly)
on: on:
schedule: schedule:
- cron: '23 23 * * *' - cron: '23 23 * * *'
permissions:
contents: read permissions: {}
jobs: jobs:
check_nightly: check_nightly:
if: vars.BUILD_NIGHTLY if: vars.BUILD_NIGHTLY
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
outputs: outputs:
commit: ${{ steps.check_for_new_commits.outputs.commit }} commit: ${{ steps.check_for_new_commits.outputs.commit }}
@@ -15,6 +17,7 @@ jobs:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Check for new commits - name: Check for new commits
id: check_for_new_commits id: check_for_new_commits
run: | run: |
@@ -35,22 +38,22 @@ jobs:
release: release:
needs: [check_nightly] needs: [check_nightly]
if: ${{ needs.check_nightly.outputs.commit }} if: ${{ needs.check_nightly.outputs.commit }}
permissions:
contents: write
id-token: write # mandatory for trusted publishing
uses: ./.github/workflows/release.yml uses: ./.github/workflows/release.yml
with: with:
prerelease: true prerelease: true
source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.NIGHTLY_ARCHIVE_REPO) || 'nightly' }} source: ${{ (github.repository != 'yt-dlp/yt-dlp' && vars.NIGHTLY_ARCHIVE_REPO) || 'nightly' }}
target: 'nightly' target: 'nightly'
permissions:
contents: write
id-token: write # mandatory for trusted publishing
secrets: inherit secrets: inherit
publish_pypi: publish_pypi:
needs: [release] needs: [release]
if: vars.NIGHTLY_PYPI_PROJECT if: vars.NIGHTLY_PYPI_PROJECT
runs-on: ubuntu-latest
permissions: permissions:
id-token: write # mandatory for trusted publishing id-token: write # mandatory for trusted publishing
runs-on: ubuntu-latest
steps: steps:
- name: Download artifacts - name: Download artifacts
uses: actions/download-artifact@v7 uses: actions/download-artifact@v7

16
.github/workflows/release.yml vendored
View File

@@ -56,8 +56,7 @@ on:
default: false default: false
type: boolean type: boolean
permissions: permissions: {}
contents: read
jobs: jobs:
prepare: prepare:
@@ -150,29 +149,31 @@ jobs:
run: git push origin "${GITHUB_EVENT_REF}" run: git push origin "${GITHUB_EVENT_REF}"
build: build:
needs: prepare needs: [prepare]
permissions:
contents: read
uses: ./.github/workflows/build.yml uses: ./.github/workflows/build.yml
with: with:
version: ${{ needs.prepare.outputs.version }} version: ${{ needs.prepare.outputs.version }}
channel: ${{ needs.prepare.outputs.channel }} channel: ${{ needs.prepare.outputs.channel }}
origin: ${{ needs.prepare.outputs.target_repo }} origin: ${{ needs.prepare.outputs.target_repo }}
linux_armv7l: ${{ inputs.linux_armv7l }} linux_armv7l: ${{ inputs.linux_armv7l }}
permissions:
contents: read
secrets: secrets:
GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }} GPG_SIGNING_KEY: ${{ secrets.GPG_SIGNING_KEY }}
publish_pypi: publish_pypi:
needs: [prepare, build] needs: [prepare, build]
if: ${{ needs.prepare.outputs.pypi_project }} if: ${{ needs.prepare.outputs.pypi_project }}
runs-on: ubuntu-latest
permissions: permissions:
contents: read
id-token: write # mandatory for trusted publishing id-token: write # mandatory for trusted publishing
runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0 # Needed for changelog
persist-credentials: false
- uses: actions/setup-python@v6 - uses: actions/setup-python@v6
with: with:
python-version: "3.10" python-version: "3.10"
@@ -236,6 +237,7 @@ jobs:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- uses: actions/download-artifact@v7 - uses: actions/download-artifact@v7
with: with:
path: artifact path: artifact

5
.github/workflows/sanitize-comment.yml vendored
View File

@@ -4,13 +4,14 @@ on:
issue_comment: issue_comment:
types: [created, edited] types: [created, edited]
permissions: permissions: {}
issues: write
jobs: jobs:
sanitize-comment: sanitize-comment:
name: Sanitize comment name: Sanitize comment
if: vars.SANITIZE_COMMENT && !github.event.issue.pull_request if: vars.SANITIZE_COMMENT && !github.event.issue.pull_request
permissions:
issues: write
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Sanitize comment - name: Sanitize comment

9
.github/workflows/test-workflows.yml vendored
View File

@@ -14,8 +14,9 @@ on:
- devscripts/setup_variables.py - devscripts/setup_variables.py
- devscripts/setup_variables_tests.py - devscripts/setup_variables_tests.py
- devscripts/utils.py - devscripts/utils.py
permissions:
contents: read permissions: {}
env: env:
ACTIONLINT_VERSION: "1.7.9" ACTIONLINT_VERSION: "1.7.9"
ACTIONLINT_SHA256SUM: 233b280d05e100837f4af1433c7b40a5dcb306e3aa68fb4f17f8a7f45a7df7b4 ACTIONLINT_SHA256SUM: 233b280d05e100837f4af1433c7b40a5dcb306e3aa68fb4f17f8a7f45a7df7b4
@@ -24,9 +25,13 @@ env:
jobs: jobs:
check: check:
name: Check workflows name: Check workflows
permissions:
contents: read
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v6 - uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions/setup-python@v6 - uses: actions/setup-python@v6
with: with:
python-version: "3.10" # Keep this in sync with release.yml's prepare job python-version: "3.10" # Keep this in sync with release.yml's prepare job