chore: ci: request contents read permissions explicitly in gha (#12055)

2024-05-28 11:51:05 +01:00 · 2024-05-28 11:51:05 +01:00 · 47fde12838
commit 47fde12838
parent 62228e1a12
9 changed files with 18 additions and 8 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -16,7 +16,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

-permissions: {}
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/builtin-actor-tests.yml
+++ b/.github/workflows/builtin-actor-tests.yml
@ -8,7 +8,8 @@ on:
    branches:
      - release/*

-permissions: {}
+permissions:
+  contents: read

 jobs:
  release:
--- a/.github/workflows/check.yml
+++ b/.github/workflows/check.yml
@ -16,7 +16,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

-permissions: {}
+permissions:
+  contents: read

 jobs:
  check-docsgen:
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -19,7 +19,8 @@ defaults:
  run:
    shell: bash

-permissions: {}
+permissions:
+  contents: read

 jobs:
  docker:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -17,7 +17,8 @@ defaults:
  run:
    shell: bash

-permissions: {}
+permissions:
+  contents: read

 jobs:
  build:
--- a/.github/workflows/sorted-pr-checks.yml
+++ b/.github/workflows/sorted-pr-checks.yml
@ -17,6 +17,8 @@ on:
      - completed

 permissions:
+  actions: read
+  checks: read
  pull-requests: write

 concurrency:
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -4,7 +4,8 @@ on:
  schedule:
  - cron: '0 12 * * *'

-permissions: {}
+permissions:
+  contents: read

 jobs:
  stale:
--- a/.github/workflows/sync-master-main.yaml
+++ b/.github/workflows/sync-master-main.yaml
@ -5,7 +5,8 @@ on:
    branches:
      - master

-permissions: {}
+permissions:
+  contents: read

 jobs:
  sync:
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -16,7 +16,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

-permissions: {}
+permissions:
+  contents: read

 jobs:
  discover: