Set more restrictive permissions for the workflows. (#1807)

jack-edmonds-dd · web-flow · commit 94f4223cacc0 · 2024-09-12T12:07:05.000-04:00
diff --git a/.github/workflows/approved_status.yml b/.github/workflows/approved_status.yml
@@ -1,5 +1,9 @@
 name: Send PR Approval Status
 
+permissions: 
+  contents: read
+  pull-requests: write
+
 on:
   pull_request:
     branches:
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -1,4 +1,8 @@
 name: "Ensure labels"
+
+permissions: 
+  pull-requests: write
+
 on: # yamllint disable-line rule:truthy
   pull_request:
     types:
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -11,6 +11,10 @@
 #
 name: "CodeQL"
 
+permissions: 
+  contents: read
+  checks: write
+
 on:
   push:
     branches: [master]
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,5 +1,8 @@
 name: docs
 
+permissions:
+  contents: write
+
 on:
   push:
     branches:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -1,4 +1,9 @@
 name: "Pull Request Labeler"
+
+permissions:
+  contents: read
+  pull-requests: write
+
 on:
   - pull_request
 
diff --git a/.github/workflows/prepare_release.yml b/.github/workflows/prepare_release.yml
@@ -1,5 +1,9 @@
 name: Prepare release
 
+permissions:
+  contents: write
+  pull-requests: write
+
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
   GIT_AUTHOR_NAME: "ci.datadog-api-spec"
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -1,4 +1,8 @@
 name: Publish package on NPM
+
+permissions: 
+  contents: read
+
 on:
   release:
     types: [prereleased]
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,4 +1,8 @@
 name: Publish package on NPM
+
+permissions:
+  contents: write
+
 on:
   release:
     types: [released]
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Release
 
+permissions:
+  contents: write
+  pull-requests: write
+
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
   GIT_AUTHOR_NAME: "ci.datadog-api-spec"
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -1,6 +1,12 @@
 # Configuration for https://github.com/actions/stale
 
 name: "Stale issues and pull requests"
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
 on:
   schedule:
     - cron: "0 0 * * *"
diff --git a/.github/workflows/static-analysis.datadog.yml b/.github/workflows/static-analysis.datadog.yml
@@ -2,6 +2,9 @@ on:
   push:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
   check-quality:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -1,5 +1,8 @@
 name: Run Tests
 
+permissions: 
+  contents: read
+
 env:
   GIT_AUTHOR_EMAIL: "packages@datadoghq.com"
   GIT_AUTHOR_NAME: "ci.datadog-api-spec"
diff --git a/.github/workflows/test_integration.yml b/.github/workflows/test_integration.yml
@@ -1,5 +1,8 @@
 name: Run Integration Tests
 
+permissions: 
+  contents: read
+
 on:
   pull_request:
     types:
