diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8c27664b..9f0b51c2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,12 +17,15 @@ concurrency: group: ${{ github.ref_name }}-ci cancel-in-progress: true +permissions: + contents: read + jobs: build: name: Build Image runs-on: ubuntu-22.04 permissions: - contents: read # for docker/build-push-action to read repo content + contents: write # for lucacome/draft-release to create a draft release security-events: write # for github/codeql-action/upload-sarif to upload SARIF results packages: write # for docker/build-push-action to push to GHCR steps: diff --git a/.github/workflows/dockerhub-description.yml b/.github/workflows/dockerhub-description.yml index 2b82b151..b17902aa 100644 --- a/.github/workflows/dockerhub-description.yml +++ b/.github/workflows/dockerhub-description.yml @@ -11,6 +11,9 @@ concurrency: group: ${{ github.ref_name }}-dockerhub-description cancel-in-progress: true +permissions: + contents: read + jobs: dockerHubDescription: runs-on: ubuntu-22.04 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 8bceee7c..ad4f9480 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,6 +2,9 @@ name: "Pull Request Labeler" on: - pull_request_target +permissions: + contents: read + jobs: triage: permissions: diff --git a/.github/workflows/notifications.yml b/.github/workflows/notifications.yml index 99c117bf..fc233551 100644 --- a/.github/workflows/notifications.yml +++ b/.github/workflows/notifications.yml @@ -9,6 +9,9 @@ on: types: - completed +permissions: + contents: read + jobs: on-failure: runs-on: ubuntu-22.04 diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index bd2461be..9cda66c4 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -3,6 +3,9 @@ on: schedule: - cron: '30 1 * * *' +permissions: + contents: read + jobs: stale: permissions: