add workflow-wide permissions (#582)

epszaw · web-flow · commit aabf26aa46d8 · 2025-08-29T11:46:01.000+07:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -15,6 +15,9 @@ on:
       - 'main'
       - 'hotfix-*'
 
+permissions:
+  contents: read
+
 jobs:
   build:
     name: "Build"
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -3,6 +3,9 @@ name: "Set theme labels"
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   triage:
     permissions:
diff --git a/.github/workflows/labels-verify.yml b/.github/workflows/labels-verify.yml
@@ -4,6 +4,9 @@ on:
   pull_request:
     types: [ labeled, unlabeled ]
 
+permissions:
+  contents: read
+
 jobs:
   triage:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -9,6 +9,9 @@ on:
   release:
     types: [ published ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,9 +19,14 @@ on:
         required: false
         default: "1"
 
+permissions:
+  contents: read
+
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: "Check release version"
         run: |
