gha: set permissions to read-only by default

Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit e4d99b4b60) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
2024-07-31 14:19:02 +02:00 · 2024-07-31 14:19:02 +02:00 · 54135b0724
parent 9593373f9e
commit 54135b0724
6 changed files with 54 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1,5 +1,14 @@
 name: build

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -1,5 +1,14 @@
 name: codeql

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
  push:
    branches: 
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@ -1,5 +1,14 @@
 name: e2e

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -1,5 +1,14 @@
 name: test

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
--- a/.github/workflows/validate-pr.yml
+++ b/.github/workflows/validate-pr.yml
@ -1,5 +1,14 @@
 name: validate-pr

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 on:
  pull_request:
    types: [opened, edited, labeled, unlabeled]
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@ -1,5 +1,14 @@
 name: validate

+# Default to 'contents: read', which grants actions to read commits.
+#
+# If any permission is set, any permission not included in the list is
+# implicitly set to "none".
+#
+# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true