Skip to content

Commit c419abb

Browse files
authored
Merge pull request #1356 from crazy-max/gha-perms
ci: set contents read as default workflow permissions
2 parents 473ff9c + fea9e81 commit c419abb

File tree

5 files changed

+41
-0
lines changed

5 files changed

+41
-0
lines changed

.github/workflows/build.yml

+12
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7+
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
8+
permissions:
9+
contents: read
10+
711
on:
812
push:
913
branches:
@@ -146,6 +150,9 @@ jobs:
146150

147151
release:
148152
runs-on: ubuntu-latest
153+
permissions:
154+
# required to create GitHub release
155+
contents: write
149156
needs:
150157
- artifact
151158
- test
@@ -187,6 +194,11 @@ jobs:
187194

188195
image:
189196
runs-on: ubuntu-latest
197+
permissions:
198+
# same as global permissions
199+
contents: read
200+
# required to push to GHCR
201+
packages: write
190202
needs:
191203
- artifact
192204
- test

.github/workflows/codeql.yml

+9
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7+
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
8+
permissions:
9+
contents: read
10+
711
on:
812
push:
913
branches:
@@ -19,6 +23,11 @@ on:
1923
jobs:
2024
codeql:
2125
runs-on: ubuntu-latest
26+
permissions:
27+
# same as global permissions
28+
contents: read
29+
# required for code scanning
30+
security-events: write
2231
steps:
2332
-
2433
name: Checkout

.github/workflows/docs.yml

+7
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7+
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
8+
permissions:
9+
contents: read
10+
711
on:
812
workflow_dispatch:
913
push:
@@ -18,6 +22,9 @@ env:
1822
jobs:
1923
publish:
2024
runs-on: ubuntu-latest
25+
permissions:
26+
# required to push to gh-pages
27+
contents: write
2128
steps:
2229
-
2330
name: Checkout

.github/workflows/e2e.yml

+4
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7+
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
8+
permissions:
9+
contents: read
10+
711
on:
812
push:
913
branches:

.github/workflows/labels.yml

+9
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7+
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
8+
permissions:
9+
contents: read
10+
711
on:
812
push:
913
branches:
@@ -19,6 +23,11 @@ on:
1923
jobs:
2024
labeler:
2125
runs-on: ubuntu-latest
26+
permissions:
27+
# same as global permissions
28+
contents: read
29+
# required to update labels
30+
issues: write
2231
steps:
2332
-
2433
name: Checkout

0 commit comments

Comments
 (0)