From e4d99b4b60e471989ab314594a5b5f0271c8e6f5 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 31 Jul 2024 14:19:02 +0200 Subject: [PATCH] gha: set permissions to read-only by default Signed-off-by: Sebastiaan van Stijn --- .github/workflows/build.yml | 9 +++++++++ .github/workflows/codeql.yml | 9 +++++++++ .github/workflows/e2e.yml | 9 +++++++++ .github/workflows/test.yml | 9 +++++++++ .github/workflows/validate-pr.yml | 9 +++++++++ .github/workflows/validate.yml | 9 +++++++++ 6 files changed, 54 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 88350c7e89..916417edda 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,5 +1,14 @@ name: build +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 0b6bd18024..15e1eb7092 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,5 +1,14 @@ name: codeql +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: push: branches: diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 8a462812d5..42a967defd 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -1,5 +1,14 @@ name: e2e +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index c2baf04c46..1f0d6dd815 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,5 +1,14 @@ name: test +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true diff --git a/.github/workflows/validate-pr.yml b/.github/workflows/validate-pr.yml index ca00ec58ce..0f449d0a03 100644 --- a/.github/workflows/validate-pr.yml +++ b/.github/workflows/validate-pr.yml @@ -1,5 +1,14 @@ name: validate-pr +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + on: pull_request: types: [opened, edited, labeled, unlabeled] diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 6c54955a29..f5a32c714d 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -1,5 +1,14 @@ name: validate +# Default to 'contents: read', which grants actions to read commits. +# +# If any permission is set, any permission not included in the list is +# implicitly set to "none". +# +# see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true