make all workflow permissions explicit

jmartin-tech · jmartin-tech · commit 06a4c518b70b · 2025-04-15T10:05:50.000-05:00
Signed-off-by: Jeffrey Martin &lt;jemartin@nvidia.com&gt;
diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
@@ -5,11 +5,19 @@ on:
   pull_request_target:
     types: [opened,closed,synchronize]
 
-# explicitly configure permissions, in case your GITHUB_TOKEN workflow permissions are set to read-only in repository settings
 permissions:
   actions: write
+  checks: none
   contents: write
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
   pull-requests: write
+  repository-projects: none
+  security-events: none
   statuses: write
 
 jobs:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -2,6 +2,21 @@ name: Garak linting
 
 on: [workflow_dispatch]
 
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   lint:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/maintain_cache.yml b/.github/workflows/maintain_cache.yml
@@ -14,7 +14,17 @@ concurrency:
 
 permissions:
   actions: write
+  checks: none
   contents: write
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
   statuses: read
 
 jobs:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -5,6 +5,21 @@ on:
     - cron: "0 0 * * *"
   workflow_dispatch:
 
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   linux:
     name: Nightly Linux
diff --git a/.github/workflows/remote_package_install.yml b/.github/workflows/remote_package_install.yml
@@ -8,6 +8,21 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_linux.yml b/.github/workflows/test_linux.yml
@@ -8,6 +8,21 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test_macos.yml b/.github/workflows/test_macos.yml
@@ -8,6 +8,21 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   build_macos:
     runs-on: macos-latest
diff --git a/.github/workflows/test_windows.yml b/.github/workflows/test_windows.yml
@@ -8,6 +8,21 @@ on:
   workflow_dispatch:
   workflow_call:
 
+permissions:
+  actions: none
+  checks: none
+  contents: none
+  deployments: none
+  id-token: none
+  issues: none
+  discussions: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
 jobs:
   build_windows:
     runs-on: windows-latest
