Add workflow-wide gh actions permissions (#1187)

epszaw · delatrie · web-flow · commit 0206bdc433f1 · 2025-09-17T11:13:44.000+02:00
Co-authored-by: Maksim Stepanov &lt;17935127+delatrie@users.noreply.github.com&gt;
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -3,9 +3,14 @@ name: "Set theme labels"
 on:
   - pull_request_target
 
+permissions:
+  contents: read 
+
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/labeler@v4
         with:
diff --git a/.github/workflows/labels-verify.yml b/.github/workflows/labels-verify.yml
@@ -4,9 +4,14 @@ on:
   pull_request_target:
     types: [opened, labeled, unlabeled, synchronize]
 
+permissions:
+  contents: none 
+
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - uses: baev/action-label-verify@main
         with:
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [ published ]
 
+permissions:
+  contents: read 
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,9 +11,14 @@ on:
         description: "The next version in <MAJOR>.<MINOR> format WITHOUT SNAPSHOT SUFFIX"
         required: true
 
+permissions:
+  contents: read 
+
 jobs:
   triage:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: "Check release version"
         run: |
