ci: Use least privilege principle for permissions

matz3 · matz3 · commit 36d7ccb65e55 · 2025-04-24T09:21:21.000+02:00
Declares only the required permissions per workflow.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,6 +7,9 @@ on:
     branches:
       - main
 
+# No permissions are required for this workflow
+permissions: {}
+
 jobs:
   test:
     name: General checks, tests and coverage reporting
diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
@@ -8,6 +8,10 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   commitlint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -9,6 +9,9 @@ on:
       - main
   workflow_dispatch:
 
+# No permissions are required for this workflow
+permissions: {}
+
 jobs:
   e2e:
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/issues.yml b/.github/workflows/issues.yml
@@ -3,6 +3,10 @@ on:
   schedule:
     - cron: '00 20 * * *'
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   stale:
     name: Flag and close stale issues
diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+# No permissions are required for this workflow
+permissions: {}
+
 jobs:
   compliance-check:
     name: Compliance Check
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,6 +8,9 @@ on:
     branches:
       - main
 
+# No permissions are required for this workflow
+permissions: {}
+
 jobs:
   test:
     name: Unit and Integration
