Merge pull request #1356 from crazy-max/gha-perms

crazy-max · web-flow · commit c419abb1b89b · 2025-02-02T03:30:47.000+01:00
ci: set contents read as default workflow permissions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -146,6 +150,9 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
+    permissions:
+      # required to create GitHub release
+      contents: write
     needs:
       - artifact
       - test
@@ -187,6 +194,11 @@ jobs:
 
   image:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required to push to GHCR
+      packages: write
     needs:
       - artifact
       - test
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -19,6 +23,11 @@ on:
 jobs:
   codeql:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required for code scanning
+      security-events: write
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   push:
@@ -18,6 +22,9 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      # required to push to gh-pages
+      contents: write
     steps:
       -
         name: Checkout
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
@@ -4,6 +4,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -19,6 +23,11 @@ on:
 jobs:
   labeler:
     runs-on: ubuntu-latest
+    permissions:
+      # same as global permissions
+      contents: read
+      # required to update labels
+      issues: write
     steps:
       -
         name: Checkout
