Merge pull request #11285 from ashishkurmi/main

ci: add minimum GitHub token permissions for workflows
2023-07-18 13:22:07 +02:00 · 2023-07-18 13:22:07 +02:00 · e0502f00c8
parent 782e6f64fb ecfaa48a17
commit e0502f00c8
6 changed files with 19 additions and 0 deletions
--- a/.github/workflows/buf-lint.yml
+++ b/.github/workflows/buf-lint.yml
@ -4,6 +4,9 @@ on:
    paths:
      - ".github/workflows/buf-lint.yml"
      - "**.proto"
+permissions:
+  contents: read
+
 jobs:
  buf:
    name: lint
--- a/.github/workflows/buf.yml
+++ b/.github/workflows/buf.yml
@ -3,6 +3,9 @@ on:
  push:
    branches:
      - main
+permissions:
+  contents: read
+
 jobs:
  buf:
    name: lint and publish
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -6,6 +6,10 @@ on:
  schedule:
    - cron: "26 14 * * 1"

+permissions:
+  contents: read
+  security-events: write
+
 jobs:
  analyze:
    name: Analyze
--- a/.github/workflows/funcbench.yml
+++ b/.github/workflows/funcbench.yml
@ -2,6 +2,9 @@ on:
  repository_dispatch:
    types: [funcbench_start]
 name: Funcbench Workflow
+permissions:
+  contents: read
+
 jobs:
  run_funcbench:
    name: Running funcbench
--- a/.github/workflows/fuzzing.yml
+++ b/.github/workflows/fuzzing.yml
@ -1,6 +1,9 @@
 name: CIFuzz
 on:
  workflow_call:
+permissions:
+  contents: read
+
 jobs:
  Fuzzing:
    runs-on: ubuntu-latest
--- a/.github/workflows/repo_sync.yml
+++ b/.github/workflows/repo_sync.yml
@ -3,6 +3,9 @@ name: Sync repo files
 on:
  schedule:
    - cron: '44 17 * * *'
+permissions:
+  contents: read
+
 jobs:
  repo_sync:
    runs-on: ubuntu-latest