Skip to content

Commit 3682aa5

Browse files
mikehardermikeharder
authored
[EngSys] Default all workflow perms to "content: read" (#32388)
- Should have no real-world security impact - Follows principle of least-priviliges
1 parent e35e609 commit 3682aa5

15 files changed

+45
-2
lines changed

.github/workflows/SDK-Suppressions-Label.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,13 @@ on:
77
- RPSaaSMaster
88
- release*
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
process-sdk-suppressions-labels:
1215
name: Sdk Suppressions
1316
runs-on: ubuntu-24.04
14-
permissions:
15-
contents: read
1617
steps:
1718
- name: Checkout code
1819
uses: actions/checkout@v4

.github/workflows/_reusable-eng-tools-test.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ on:
2020
required: false
2121
type: boolean
2222

23+
permissions:
24+
contents: read
25+
2326
jobs:
2427
test:
2528
strategy:

.github/workflows/github-test.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
- .github/**
1212
workflow_dispatch:
1313

14+
permissions:
15+
contents: read
16+
1417
defaults:
1518
run:
1619
shell: bash

.github/workflows/protected-files.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ name: Protected Files
22

33
on: pull_request
44

5+
permissions:
6+
contents: read
7+
58
env:
69
# Users allowed to edit protected files without failing check
710
user-allowed: ${{ github.event.pull_request.user.login == 'azure-sdk' }}

.github/workflows/specs-model-test.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ on:
1717
- eng/tools/specs-model/**
1818
workflow_dispatch:
1919

20+
permissions:
21+
contents: read
22+
2023
jobs:
2124
specsModel:
2225
name: Specs Model

.github/workflows/spelling-all.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ on:
1111
- cron: "6 12 * * *"
1212
workflow_dispatch:
1313

14+
permissions:
15+
contents: read
16+
1417
jobs:
1518
spellcheck:
1619
name: SpellCheck

.github/workflows/spelling.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ name: SpellCheck
22

33
on: pull_request
44

5+
permissions:
6+
contents: read
7+
58
jobs:
69
spellcheck:
710
name: SpellCheck

.github/workflows/suppressions-test.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ on:
1717
- eng/tools/suppressions/**
1818
workflow_dispatch:
1919

20+
permissions:
21+
contents: read
22+
2023
jobs:
2124
suppressions:
2225
uses: ./.github/workflows/_reusable-eng-tools-test.yaml

.github/workflows/tsp-client-test.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ on:
2020
- specification/contosowidgetmanager
2121
workflow_dispatch:
2222

23+
permissions:
24+
contents: read
25+
2326
jobs:
2427
tsp-client:
2528
uses: ./.github/workflows/_reusable-eng-tools-test.yaml

.github/workflows/typespec-requirement-test.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,9 @@ on:
1717
- eng/tools/typespec-requirement/**
1818
workflow_dispatch:
1919

20+
permissions:
21+
contents: read
22+
2023
jobs:
2124
typespec-requirement:
2225
uses: ./.github/workflows/_reusable-eng-tools-test.yaml

0 commit comments

Comments
 (0)