chore: set explicit workflow permissions (#1143)

steabert · web-flow · commit 399e19e05f31 · 2025-04-13T16:11:35.000+02:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -20,6 +20,10 @@ on:
   schedule:
     - cron: '30 4 * * 1'
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   analyze:
     name: Analyze
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -3,6 +3,10 @@ name: Docker
 
 on: workflow_dispatch
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -8,6 +8,10 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: write
+  packages: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -3,12 +3,13 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest
-    permissions:
-      issues: write
-      pull-requests: write
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639
         with:
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -12,6 +12,10 @@ on:
       - main
   merge_group:
 
+permissions:
+  contents: read
+  packages: read
+
 jobs:
   node:
     runs-on: ubuntu-latest
